Over 200 Organizations Targeted in Chinese Cyberespionage Campaign

Chinese cyberespionage group Mustang Panda has been targeting entities related to maritime, shipping, border, and immigration as part of a recent campaign, cybersecurity firm Trend Micro reports.

Also known as Earth Preta, RedDelta, and TA416, Mustang Panda is believed to be operating on behalf of the Chinese government, and was previously seen targeting European diplomatic entities and various telecommunications companies.

Trend Micro’s analysis of several attacks observed in 2022 has revealed that the advanced persistent threat (APT) actor coordinates several subgroups in a collaborative effort to gather sensitive information from the targeted entities, and a shift in targeting towards the end of last year.

“Earth Preta has a centralized development unit that produces the implants and tools, and disseminates them to other operational groups responsible for penetration and implantation. This is evident in the Earth Preta group as it appears that multiple sub-operational groups use the same toolset with different techniques,” Trend Micro notes.

Each of the operational groups, the cybersecurity firm discovered, uses its own intrusion and privilege escalation methods, but coordination and planning appear to be lacking at the management level, as the groups might sometimes target the same entity, pursuing similar objectives.

Overall, Trend Micro identified more than 200 Mustang Panda victims, spanning across transportation, government, manufacturing, fabrication, construction, education, finance, food production, border and immigration control, and energy sectors, as well as humanitarian groups.

More than half of victims were spotted in Asia, followed by Africa, Europe and the Middle East. 

The observed targeting overlaps led to the identification of multiple sub-groups, including Groups 724, 1358, and 5171, each typically operating in different sectors and geographies.

Group 724 uses customized USB storage devices for initial access and relies on sideloading with Adobe CEF Helper for persistence.

Group 1358, which relies on Avast’s WSC DLL for sideloading and WMI for code execution, uses the PlugX remote access tool (RAT) for data exfiltration, typically via USB drives.

Group 5171 also uses DLL sideloading with Adobe CEF Helper and employs USB-based data exfiltration. What separates it from the other groups is the infection of laptops with malicious code when traveling as part of a routine work travel, which then leads to more elaborate exploitation and lateral movement.  

“Earth Preta’s cyberespionage operations have a broad reach and have the capacity to target high value targets. The shift in collection priorities toward intelligence regarding specific areas also indicates that Earth Preta is targeting critical infrastructure and key institutions that can affect national and international relations, economies, and securities,” Trend Micro concludes.

Related: EU Organizations Warned of Chinese APT Attacks

Related: Google Suspends Chinese Shopping App Amid Security Concerns

Related: Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies