Emails, intellectual property, strategic planning documents, and other sensitive information has been stolen by a China-based threat group from the systems of defense contractors in the United States, according to a new report from Trend Micro.
The campaign, dubbed “Operation Iron Tiger,” has been attributed to the notorious Chinese actor known as Emissary Panda and Threat Group 3390. The cyber espionage group has been active since at least 2010 and it has targeted hundreds of organizations from across the world. Up until recently, the attackers had stolen every piece of data found on a compromised network, but now they’ve changed tactics and got selective in data exfiltration, Dell SecureWorks reported in August.
Initially, Emissary Panda focused its efforts on political and government-related targets located in Asia, particularly China, Hong Kong, and the Philippines. However, the group expanded its list of targets in 2013, when it started breaching the systems of high-tech organizations in the U.S.
According to Trend Micro, Iron Tiger has mainly targeted directors and managers at US companies in sectors such as electric, intelligence, telecommunications, nuclear engineering, energy, and aerospace. Researchers believe the attackers are particularly interested in monitoring tech-related contractors.
Using a combination of spear-phishing, known malware, custom hacking tools, and legitimate services, the attackers managed to steal terabytes of data from organizations in the United States without being detected. Trend Micro determined that the group stole as much as 58Gb of files from a single organization.
“Targets face serious repercussions, given the sensitive nature of the data they keep. The data the actors stole, after all, translates to years of invaluable government and corporate research and development (R&D) dollars,” Trend Micro wrote in a report on Iron Tiger.
The security firm linked the threat actor behind Iron Tiger to China based on several pieces of evidence. For example, file names and passwords used by attackers were Chinese, the domains they leveraged were registered with physical addresses in China, and they relied on virtual private network (VPN) services that only accepted users based in China.
Furthermore, Trend Micro has managed to trace some of the online monikers used by the attackers to a Chinese individual apparently named Guo Fei.
Researchers believe the people behind Emissary Panda are highly skilled when it comes to launching cyberattacks. However, in most cases they didn’t need to use sophisticated methods to achieve their goals because the targeted networks were weakly protected.
Zscaler has also analyzed some of Emissary Panda’s activities. The security firm reported in August that the group had used a Flash Player exploit from the Hacking Team leak to target a multi-national financial services company.
In January 2014, CrowdStrike reported that Emissary Panda carried out a watering hole attacks against foreign embassies, including a watering-hole-attack that affected the website for the Russian Federation’s embassy in the United States.