Connect with us

Hi, what are you looking for?



Emissary Panda Hackers Get Selective in Data Heists

China-based “Threat Group 3390” Gets Selective in Data Exfiltration

China-based “Threat Group 3390” Gets Selective in Data Exfiltration

For years, a China-based attack group has targeted automobile, electronic, aircraft, pharmaceutical, and oil and gas manufacturers in search of valuable intellectual property. The group is now much pickier about what kind of data it is willing to steal, researchers from Dell SecureWorks Counter Threat Unit said Wednesday.

Previously, the group, known as Emissary Panda as well as Threat Group 3390, used to exfiltrate all the information found on a compromised network. Recently, the group has moved away from the smash-and-grab tactics and adopted a strategy where it compiles a list of all the files and components stored on the network and then picks and chooses which ones to grab, Andrew White, senior security researcher at Dell SecureWorks told SecurityWeek.

“There may be 1000 projects on the server, [but] they’ll take only two,” White said.

The fact that there is some kind of a selection process going on indicates the group is not just out of financial gain. Otherwise, it would make sense to just grab as many as possible, White noted. In this case, TG-3390 can spend as long as two weeks making a shopping list listing all the projects, file systems, and specific filenames, he said.

Emissary Panda gains access to organization networks through an elaborate watering hole operation involving infected websites of over 100 different organizations. The watering hole attacks involved websites from large manufacturing companies supplying defense organizations, energy companies, embassies representing countries in Africa, Europe, Asia, and the Middle East, non-governmental organizations, and other government agencies, Dell SecureWorks said in its report.

The list includes the Russian Federation embassy in Washington, D.C. and Amper, a defense manufacturer in Spain. The attacks are global, with affected organizations in remote countries such as Iran, Iraq, Zambia, Italy, Afghanistan, Qatar, Ecuador, and other parts of Europe, South America, Middle East, and Africa.

Emissary Panda used a number of commodity exploits targeting old vulnerabilities in Flash, Java, and Windows, some four years old, in its attacks. All of these vulnerabilities have already been patched, White said. At the moment, CTU has not seen any evidence of zero-day vulnerabilities being used.

Advertisement. Scroll to continue reading.

The way the group set up watering hole attacks is pretty typical of other attack groups. Emissary Panda compromises websites the employees at targeted organizations will visit and injects attack code, which would redirect site visitors to a different site.

In the case of the Russian embassy, for example, unsuspecting visitors would not be expecting anything malicious so would be vulnerable to phishing or to prompts to download exploit kits. The group stayed under the radar by switching which sites were being used to serve up attack code or exploits. The attackers stopped using certain sites for a period of time before resuming use in order to avoid detection, Andrew White said.

The employee is served up exploits from the watering hole site, giving attackers access to the target organization. At this point, TG-3390 takes the time to go after the domain controller credentials, which lets the members move laterally within the network and put in other backdoors and traps. The group uses custom tools such as an OWAuth tool which acts as a Webshell and keylogger for Microsoft Exchange servers, White said.

By leaving behind “caches” in the network, the group knows that even if the organization manages to shut the hole they used to initially gain access to the network, there are other methods still available, and their tools remain hidden in the network.

The group is clearly preparing for eviction before the victim is even aware of its presence, White said.

The advanced part of this threat lies in the group’s organization, White said. This group may not be using the most sophisticated techniques or technologies in its attacks, but the fact that every step it takes is well-calculated and well-planned shows the group’s high maturity, he said.

The CTU believes it is seeing “just a sliver of” the group’s activities.

SecureWorks’ CTU has been tracking this group for more than two years, but it is possible they may have been operating longer, White said.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.