A Chinese hacking group known as Emissary Panda has set up 100 global ‘traps' to siphon data from the websites of high-profile targets, including the Russian embassy in Washington and defence manufacturers in the US and the UK.
The hacking group, also identified as Threat Group 3390, is under the spotlight in a report released by Dell Secureworks that delves into the group's activities and infrastructure.
Emissary Panda uses strategic web compromises to infect very specific targets, including embassies spanning Africa, Europe and Asia and non-governmental organisations focused on international relations and defence.
Government targets, large manufacturing companies and energy firms have also been infected with a number of tools designed to steal information.
There are a number of reasons why China has been identified as the origin of the cyber group. The hackers use the Baidu search engine when doing target reconnaissance, the types of targets reflect Chinese interests and the group's activities all coincide with standard working times in China, Dell said.
Tools of the trade
The hacking group uses a mixture of original and shared cyber espionage tools. One is a strain of malware that can bypass network detection while installing a keylogger and backdoor on Microsoft Exchange servers that provides complete control of a system.
The group relies on older vulnerabilities, including those in Java (CVE-2011-3544) and JBoss (CVE-2010-0738), but the research team at Dell has no evidence to suggest that the hackers are exploiting zero-day flaws.
The report lists a number of unique tools used by the hackers, including ASPXTool and OwaAuth.
OwaAuth is a web shell and credential stealer deployed to Exchange Servers, and ASPXTool is a modified version of the ASPXSpy web shell used on accessible servers running Internet Information Services.
Furthermore, the group uses tools known to be deployed by a number of cyber groups, including HttpBrowser and PlugX.
After the initial system compromise Emissary Panda delivers the HttpBrowser backdoor that allows the hackers to upload or download files and capture keystroke information.
Dell said that Emissary Panda uses spearphishing emails to target very specific victims, and follows "an established playbook" for conducting an intrusion.
"They quickly move away from their initial access vector to hide their entry point and then target Exchange servers as a new access vector," explained the report.
The security researchers admitted that they do not yet know how the group keeps track of the compromised information, but said that they appear to be extremely disciplined and well organised.
"The adversary's end goal is to exfiltrate, not infiltrate. Organisations often miss multiple opportunities to detect and disrupt the threat actors before they can achieve their objective," the report said.
Aaron Hackworth, senior development engineer at Dell SecureWorks, told V3 that this is a "surgical group" that carries out extremely targeted attacks.
"[The group] uses reconnaissance to see who they have, then connect to networks to gain a foothold," he said.
"They are very methodical about it. What stands out is how persistent these guys are and how quickly they respond as they get shut down."
Stopping the breach
In order to stop a data breach an organisation will have to remove all access points including remote access tools. Even so, if the hackers are evicted from the environment they will attempt to return.
"Researchers discovered the threat actors searching for '[company] login' which directed them to the landing page for remote access," the report stated.
"[Emissary Panda] attempts to re-enter the environment by identifying accounts that do not require two-factor authentication for remote access solutions, and then brute forcing usernames and passwords."
Relations between the US and China are becoming increasingly strained after recent cyber attacks against the US Office of Personnel Management and United Airlines.
US intelligence agencies are currently holding classified meetings to discuss retaliation options, while China has consistently denied involvement.
Microsoft seizes control of phishing sites linked with Russian state hackers
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment