Connect with us

Hi, what are you looking for?


Malware & Threats

U.S. Defense Contractors Targeted by Chinese Threat Group

Emails, intellectual property, strategic planning documents, and other sensitive information has been stolen by a China-based threat group from the systems of defense contractors in the United States, according to a new report from Trend Micro.

Emails, intellectual property, strategic planning documents, and other sensitive information has been stolen by a China-based threat group from the systems of defense contractors in the United States, according to a new report from Trend Micro.

The campaign, dubbed “Operation Iron Tiger,” has been attributed to the notorious Chinese actor known as Emissary Panda and Threat Group 3390. The cyber espionage group has been active since at least 2010 and it has targeted hundreds of organizations from across the world. Up until recently, the attackers had stolen every piece of data found on a compromised network, but now they’ve changed tactics and got selective in data exfiltration, Dell SecureWorks reported in August.

Initially, Emissary Panda focused its efforts on political and government-related targets located in Asia, particularly China, Hong Kong, and the Philippines. However, the group expanded its list of targets in 2013, when it started breaching the systems of high-tech organizations in the U.S.

Global Threat Report

According to Trend Micro, Iron Tiger has mainly targeted directors and managers at US companies in sectors such as electric, intelligence, telecommunications, nuclear engineering, energy, and aerospace. Researchers believe the attackers are particularly interested in monitoring tech-related contractors.

Using a combination of spear-phishing, known malware, custom hacking tools, and legitimate services, the attackers managed to steal terabytes of data from organizations in the United States without being detected. Trend Micro determined that the group stole as much as 58Gb of files from a single organization.

“Targets face serious repercussions, given the sensitive nature of the data they keep. The data the actors stole, after all, translates to years of invaluable government and corporate research and development (R&D) dollars,” Trend Micro wrote in a report on Iron Tiger.

The security firm linked the threat actor behind Iron Tiger to China based on several pieces of evidence. For example, file names and passwords used by attackers were Chinese, the domains they leveraged were registered with physical addresses in China, and they relied on virtual private network (VPN) services that only accepted users based in China.

Furthermore, Trend Micro has managed to trace some of the online monikers used by the attackers to a Chinese individual apparently named Guo Fei.

Advertisement. Scroll to continue reading.

Researchers believe the people behind Emissary Panda are highly skilled when it comes to launching cyberattacks. However, in most cases they didn’t need to use sophisticated methods to achieve their goals because the targeted networks were weakly protected.

Zscaler has also analyzed some of Emissary Panda’s activities. The security firm reported in August that the group had used a Flash Player exploit from the Hacking Team leak to target a multi-national financial services company.

In January 2014, CrowdStrike reported that Emissary Panda carried out a watering hole attacks against foreign embassies, including a watering-hole-attack that affected the website for the Russian Federation’s embassy in the United States.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.