Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Over 200 Organizations Targeted in Chinese Cyberespionage Campaign

Chinese cyberespionage group Mustang Panda was seen targeting maritime, shipping, border control, and immigration organizations in recent attacks.

Chinese cyberespionage group Mustang Panda has been targeting entities related to maritime, shipping, border, and immigration as part of a recent campaign, cybersecurity firm Trend Micro reports.

Also known as Earth Preta, RedDelta, and TA416, Mustang Panda is believed to be operating on behalf of the Chinese government, and was previously seen targeting European diplomatic entities and various telecommunications companies.

Trend Micro’s analysis of several attacks observed in 2022 has revealed that the advanced persistent threat (APT) actor coordinates several subgroups in a collaborative effort to gather sensitive information from the targeted entities, and a shift in targeting towards the end of last year.

“Earth Preta has a centralized development unit that produces the implants and tools, and disseminates them to other operational groups responsible for penetration and implantation. This is evident in the Earth Preta group as it appears that multiple sub-operational groups use the same toolset with different techniques,” Trend Micro notes.

Each of the operational groups, the cybersecurity firm discovered, uses its own intrusion and privilege escalation methods, but coordination and planning appear to be lacking at the management level, as the groups might sometimes target the same entity, pursuing similar objectives.

Overall, Trend Micro identified more than 200 Mustang Panda victims, spanning across transportation, government, manufacturing, fabrication, construction, education, finance, food production, border and immigration control, and energy sectors, as well as humanitarian groups.

More than half of victims were spotted in Asia, followed by Africa, Europe and the Middle East. 

The observed targeting overlaps led to the identification of multiple sub-groups, including Groups 724, 1358, and 5171, each typically operating in different sectors and geographies.

Advertisement. Scroll to continue reading.

Group 724 uses customized USB storage devices for initial access and relies on sideloading with Adobe CEF Helper for persistence.

Group 1358, which relies on Avast’s WSC DLL for sideloading and WMI for code execution, uses the PlugX remote access tool (RAT) for data exfiltration, typically via USB drives.

Group 5171 also uses DLL sideloading with Adobe CEF Helper and employs USB-based data exfiltration. What separates it from the other groups is the infection of laptops with malicious code when traveling as part of a routine work travel, which then leads to more elaborate exploitation and lateral movement.  

“Earth Preta’s cyberespionage operations have a broad reach and have the capacity to target high value targets. The shift in collection priorities toward intelligence regarding specific areas also indicates that Earth Preta is targeting critical infrastructure and key institutions that can affect national and international relations, economies, and securities,” Trend Micro concludes.

Related: EU Organizations Warned of Chinese APT Attacks

Related: Google Suspends Chinese Shopping App Amid Security Concerns

Related: Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...