Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

U.S. Defense Contractors Targeted by Chinese Threat Group

Emails, intellectual property, strategic planning documents, and other sensitive information has been stolen by a China-based threat group from the systems of defense contractors in the United States, according to a new report from Trend Micro.

Emails, intellectual property, strategic planning documents, and other sensitive information has been stolen by a China-based threat group from the systems of defense contractors in the United States, according to a new report from Trend Micro.

The campaign, dubbed “Operation Iron Tiger,” has been attributed to the notorious Chinese actor known as Emissary Panda and Threat Group 3390. The cyber espionage group has been active since at least 2010 and it has targeted hundreds of organizations from across the world. Up until recently, the attackers had stolen every piece of data found on a compromised network, but now they’ve changed tactics and got selective in data exfiltration, Dell SecureWorks reported in August.

Initially, Emissary Panda focused its efforts on political and government-related targets located in Asia, particularly China, Hong Kong, and the Philippines. However, the group expanded its list of targets in 2013, when it started breaching the systems of high-tech organizations in the U.S.

Global Threat Report

According to Trend Micro, Iron Tiger has mainly targeted directors and managers at US companies in sectors such as electric, intelligence, telecommunications, nuclear engineering, energy, and aerospace. Researchers believe the attackers are particularly interested in monitoring tech-related contractors.

Using a combination of spear-phishing, known malware, custom hacking tools, and legitimate services, the attackers managed to steal terabytes of data from organizations in the United States without being detected. Trend Micro determined that the group stole as much as 58Gb of files from a single organization.

“Targets face serious repercussions, given the sensitive nature of the data they keep. The data the actors stole, after all, translates to years of invaluable government and corporate research and development (R&D) dollars,” Trend Micro wrote in a report on Iron Tiger.

The security firm linked the threat actor behind Iron Tiger to China based on several pieces of evidence. For example, file names and passwords used by attackers were Chinese, the domains they leveraged were registered with physical addresses in China, and they relied on virtual private network (VPN) services that only accepted users based in China.

Furthermore, Trend Micro has managed to trace some of the online monikers used by the attackers to a Chinese individual apparently named Guo Fei.

Advertisement. Scroll to continue reading.

Researchers believe the people behind Emissary Panda are highly skilled when it comes to launching cyberattacks. However, in most cases they didn’t need to use sophisticated methods to achieve their goals because the targeted networks were weakly protected.

Zscaler has also analyzed some of Emissary Panda’s activities. The security firm reported in August that the group had used a Flash Player exploit from the Hacking Team leak to target a multi-national financial services company.

In January 2014, CrowdStrike reported that Emissary Panda carried out a watering hole attacks against foreign embassies, including a watering-hole-attack that affected the website for the Russian Federation’s embassy in the United States.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.