Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

U.S. Defense Contractors Targeted by Chinese Threat Group

Emails, intellectual property, strategic planning documents, and other sensitive information has been stolen by a China-based threat group from the systems of defense contractors in the United States, according to a new report from Trend Micro.

Emails, intellectual property, strategic planning documents, and other sensitive information has been stolen by a China-based threat group from the systems of defense contractors in the United States, according to a new report from Trend Micro.

The campaign, dubbed “Operation Iron Tiger,” has been attributed to the notorious Chinese actor known as Emissary Panda and Threat Group 3390. The cyber espionage group has been active since at least 2010 and it has targeted hundreds of organizations from across the world. Up until recently, the attackers had stolen every piece of data found on a compromised network, but now they’ve changed tactics and got selective in data exfiltration, Dell SecureWorks reported in August.

Initially, Emissary Panda focused its efforts on political and government-related targets located in Asia, particularly China, Hong Kong, and the Philippines. However, the group expanded its list of targets in 2013, when it started breaching the systems of high-tech organizations in the U.S.

Global Threat Report

According to Trend Micro, Iron Tiger has mainly targeted directors and managers at US companies in sectors such as electric, intelligence, telecommunications, nuclear engineering, energy, and aerospace. Researchers believe the attackers are particularly interested in monitoring tech-related contractors.

Using a combination of spear-phishing, known malware, custom hacking tools, and legitimate services, the attackers managed to steal terabytes of data from organizations in the United States without being detected. Trend Micro determined that the group stole as much as 58Gb of files from a single organization.

“Targets face serious repercussions, given the sensitive nature of the data they keep. The data the actors stole, after all, translates to years of invaluable government and corporate research and development (R&D) dollars,” Trend Micro wrote in a report on Iron Tiger.

The security firm linked the threat actor behind Iron Tiger to China based on several pieces of evidence. For example, file names and passwords used by attackers were Chinese, the domains they leveraged were registered with physical addresses in China, and they relied on virtual private network (VPN) services that only accepted users based in China.

Furthermore, Trend Micro has managed to trace some of the online monikers used by the attackers to a Chinese individual apparently named Guo Fei.

Researchers believe the people behind Emissary Panda are highly skilled when it comes to launching cyberattacks. However, in most cases they didn’t need to use sophisticated methods to achieve their goals because the targeted networks were weakly protected.

Zscaler has also analyzed some of Emissary Panda’s activities. The security firm reported in August that the group had used a Flash Player exploit from the Hacking Team leak to target a multi-national financial services company.

In January 2014, CrowdStrike reported that Emissary Panda carried out a watering hole attacks against foreign embassies, including a watering-hole-attack that affected the website for the Russian Federation’s embassy in the United States.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...