Security researchers have discovered another advanced China-based targeted attack campaign which shifted its focus from APAC targets in 2013 to steal up to terabytes of data from hi-tech US government contractors.
“Emissary Panda” or “Threat Group-3390 (TG-3390)” launched its Iron Tiger campaign in 2010, spying on political targets and government agencies in China, Hong Kong, the Philippines and Tibet, according to Trend Micro.
The security vendor explained in a new report:
“The actors have stolen emails, full Active Directory dumps, intellectual property, strategic planning documents, and budget- or finance-related content—all of which can be used to sabotage target governments’ or private organizations’ plans.”
The huge geographical shift to US government contractors in aerospace, energy, intelligence, nuclear engineering, and telecoms indicates that Iron Tiger “is part of a bigger campaign where specific targets are assigned to various teams,” the report claimed.
The actors involved are said to be China based for several reasons.
The VPN servers they used were mainly located in China; file names and passwords, as well as some text resources and language IDs used in malware, were in simplified Chinese; several domains were found to be located in China; and other resources used including QQ, Lofter, and 163.com are used mainly in the Middle Kingdom.
Although the hackers are said to be “skilled computer security experts” they’ve not needed to pull out the full repertoire of advanced techniques as target networks were poorly protected, Trend Micro claimed.
That said, they frequently used customized hacking tools like dnstunserver – which is apparently not available to buy on any darknet forum – and well-known RAT malware such as PlugX and Gh0st.
They also utilize consumer-facing platforms, including setting up C&C servers on Blogspot, and connecting a Gh0st variant to Chinese blogging platform Lofter.
A stolen code-signing cert from Korean security firm SoftCamp was used to move laterally inside target networks and circumvent security tools.
“To get deeper into networks, they intercept Microsoft Exchange credentials using Robocopy and the ‘Export-Mailbox’ PowerShell command—both unique means. They also use a Trojan that was specifically designed to only work on the Google Cloud Platform,” the report revealed.
Spear phishing lures are typically aimed at targets ranging from execs to government officials, engineers to PR officers – with the subject matter of the email designed to pique the interest of a targeted individual.
Trend Micro also claimed the Iron Tiger attackers went to great lengths to avoid being hacked themselves, even patching a compromised C&C server by logging in as an admin and issuing a fix.
Given that the data stolen translates into “years of invaluable government and corporate research and development (R&D) dollars,” organizations must do more to install multi-layered custom protection to better spot spear phishing and signs of intrusion, the report concluded.