China-based “Threat Group 3390” Gets Selective in Data Exfiltration
For years, a China-based attack group has targeted automobile, electronic, aircraft, pharmaceutical, and oil and gas manufacturers in search of valuable intellectual property. The group is now much pickier about what kind of data it is willing to steal, researchers from Dell SecureWorks Counter Threat Unit said Wednesday.
Previously, the group, known as Emissary Panda as well as Threat Group 3390, used to exfiltrate all the information found on a compromised network. Recently, the group has moved away from the smash-and-grab tactics and adopted a strategy where it compiles a list of all the files and components stored on the network and then picks and chooses which ones to grab, Andrew White, senior security researcher at Dell SecureWorks told SecurityWeek.
“There may be 1000 projects on the server, [but] they’ll take only two,” White said.
The fact that there is some kind of a selection process going on indicates the group is not just out of financial gain. Otherwise, it would make sense to just grab as many as possible, White noted. In this case, TG-3390 can spend as long as two weeks making a shopping list listing all the projects, file systems, and specific filenames, he said.
Emissary Panda gains access to organization networks through an elaborate watering hole operation involving infected websites of over 100 different organizations. The watering hole attacks involved websites from large manufacturing companies supplying defense organizations, energy companies, embassies representing countries in Africa, Europe, Asia, and the Middle East, non-governmental organizations, and other government agencies, Dell SecureWorks said in its report.
The list includes the Russian Federation embassy in Washington, D.C. and Amper, a defense manufacturer in Spain. The attacks are global, with affected organizations in remote countries such as Iran, Iraq, Zambia, Italy, Afghanistan, Qatar, Ecuador, and other parts of Europe, South America, Middle East, and Africa.
Emissary Panda used a number of commodity exploits targeting old vulnerabilities in Flash, Java, and Windows, some four years old, in its attacks. All of these vulnerabilities have already been patched, White said. At the moment, CTU has not seen any evidence of zero-day vulnerabilities being used.
The way the group set up watering hole attacks is pretty typical of other attack groups. Emissary Panda compromises websites the employees at targeted organizations will visit and injects attack code, which would redirect site visitors to a different site.
In the case of the Russian embassy, for example, unsuspecting visitors would not be expecting anything malicious so would be vulnerable to phishing or to prompts to download exploit kits. The group stayed under the radar by switching which sites were being used to serve up attack code or exploits. The attackers stopped using certain sites for a period of time before resuming use in order to avoid detection, Andrew White said.
The employee is served up exploits from the watering hole site, giving attackers access to the target organization. At this point, TG-3390 takes the time to go after the domain controller credentials, which lets the members move laterally within the network and put in other backdoors and traps. The group uses custom tools such as an OWAuth tool which acts as a Webshell and keylogger for Microsoft Exchange servers, White said.
By leaving behind “caches” in the network, the group knows that even if the organization manages to shut the hole they used to initially gain access to the network, there are other methods still available, and their tools remain hidden in the network.
The group is clearly preparing for eviction before the victim is even aware of its presence, White said.
The advanced part of this threat lies in the group’s organization, White said. This group may not be using the most sophisticated techniques or technologies in its attacks, but the fact that every step it takes is well-calculated and well-planned shows the group’s high maturity, he said.
The CTU believes it is seeing “just a sliver of” the group’s activities.
SecureWorks’ CTU has been tracking this group for more than two years, but it is possible they may have been operating longer, White said.