A cyberespionage campaign that breached nine global agencies, including one in the United States, could have been perpetrated by a group with ties to the Chinese regime.
The campaign resulted in the theft of sensitive documents from an unnamed government agency between September and October, according to a report by Unit 42, a threat intelligence team specializing in cyber risk and incident response at Palo Alto Networks in, in partnership with the National Security Agency Cybersecurity Collaboration Center.
“As early as Sept. 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet,” the report said. “Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October.”
“During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy, and education industries.”
The report said that the identity of the actor(s) behind the campaign could not be verified, but that their tactics and tools most closely resembled those of a cyber espionage group with ties to the Chinese regime, called Emissary Panda.
Emissary Panda is known by many names, including APT 27, Bronze Union, Iron Tiger, Lucky Mouse, and TG-3390. It is one of numerous groups to have splintered out of the state-sponsored Winnti Group, and is responsible for cyberattacks in the Americas, Asia, Europe, and the Middle East, according to a report by Canadian media CBC. The group specializes in using cyber espionage to collect data from government targets, and frequently targets energy, defense, and aviation sectors.
The hacking group has been implicated in numerous cyber attacks since at least 2009, and exploited Microsoft Exchange vulnerabilities again as recently as early November, when it leveraged ransomware against targets primarily located in the United States.
The report said that the campaign scanned more than 370 U.S-based servers, including ones at the Department of Defense, while looking for vulnerabilities. It then exploited newly discovered vulnerabilities in a password management and single sign-on solution, ManageEngine ADSelfService Plus.
Once exploited, malicious actors were able to move laterally into related systems, install a credential-stealing tool, and gather and exfiltrate sensitive files.
“Unit 42 believes that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization,” the report said.
News of the attack closely follows a warning by the National Counterintelligence and Security Center that China’s communist regime is engaged in a comprehensive campaign to acquire critical and emerging technologies from the United States through legal, quasi-legal, and illegal means. U.S. technologies are critical to the development of many of China’s own weapons programs, and state-sponsored groups in China and those linked to the Chinese military have been accused of stealing data globally.
Similarly, the former chief software officer of the U.S. Air Force and Space Force recently explained that Chinese agents posed a significant “insider threat” to U.S. tech companies.
Such threats to the nation do not necessarily require feet on the ground, as was recently demonstrated by a report that an ongoing pro-China influence operation previously attempted to physically mobilize protestors in the United States by leveraging fake social media accounts across 70 websites including Facebook, Twitter, and Youtube.
The agencies breach in September and October’s campaign have not yet been publicly identified.
From The Epoch Times
