Page 35 - index
P. 35
Poisoned Water: How an Industrial Cyber Espionage Group Uses
Legitimate Websites to Ensnare Victims Worldwide
Today’s headlines are littered with examples of retail breaches and stolen consumer data, but
some of the most sophisticated hackers in the world are not after your credit or debit card – they
are after intellectual property.
One of these hacker crews is Threat Group 3390 (TG-3390), also known as Emissary Panda.
For more than two years, the attack group has been under the watchful eye of Dell
SecureWorks’ Counter Threat Unit. Until recently, very little information about this group was
made public. But digging into the attackers’ activity, Dell SecureWorks has discovered that the
Chinese hacking group has used strategic web compromises (SWC) – also known as watering
holes - as means to infect targets and penetrate 50 organizations throughout the U.S. and U.K.
in a variety of verticals, including the automotive, aerospace, defense, electronic,
pharmaceutical, and oil and gas industries. These web compromises involved infecting websites
that their intended targets were likely to visit in the hopes of ultimately snaring their prey. In
addition to the industries above, the attackers also compromised sites belonging to education
institutions, law firms and political organizations.
As is often the case with advanced threat actors, exact attribution is difficult. Researchers at
Dell SecureWorks however have uncovered multiple pieces of evidence indicating the group is
Chinese in origin, ranging from the use of particular malware tools, the time of day when the
hackers were active and the nature of some of the group’s targets. For example, TG-3390
uses the PlugX remote access tool, a notorious piece of malware linked to a number of
attacks, including a campaign tied to another Threat Group the CTU has been tracking
which the CTU and other researchers believe is likely based out of China. In addition, the
menus for PlugX’s server side component are written exclusively in Standard Chinese
(Mandarin), which suggests the attackers are familiar with the language.
One of the websites the group compromised is focused on the Uyghur culture. This indicates
that the threat actors have an interest in targeting the Uyghur ethnic group, a Muslim minority
group found mostly in the Xinjiang region of China that has at times been in conflict with the
Chinese government over its independence. Targeting them is not likely to be a priority for
threat groups outside of China.
Turning websites their victims are likely to visit into traps is part of the group’s modus operandi.
The attackers compromised at least 100 of these sites in order to ensnare their victims,
including the sites of the Russian Federation embassy in Washington, D.C. and Amper, a
defense manufacturing firm based in Spain.
In these strategic web compromises, the group focused on sites belonging to five types of
organizations: large manufacturing companies (particularly those supplying the defense
industry); energy companies; embassies representing countries in the Middle East, Europe and
35 Cyber Warnings E-Magazine – August 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
