The campaign resulted in the theft of sensitive documents from an unnamed government agency between September and October, according to a report by Unit 42, a threat intelligence team specializing in cyber risk and incident response at Palo Alto Networks, in partnership with the National Security Agency Cybersecurity Collaboration Center.
“As early as Sept. 17, the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable organizations across the internet,” the report reads. “Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October.
“During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy, and education industries.”
The report states that the identity of the actor(s) behind the campaign couldn’t be verified, but notes that their tactics and tools most closely resembled those of a cyberespionage group with ties to the Chinese regime known as Emissary Panda.
Emissary Panda is known by many names, including APT 27, Bronze Union, Iron Tiger, Lucky Mouse, and TG-3390. It’s one of numerous groups to have splintered out of the state-sponsored Winnti Group, and it’s responsible for cyberattacks in the Americas, Asia, Europe, and the Middle East, according to a report by Canadian media outlet CBC. The group specializes in using cyber espionage to collect data from government targets and frequently targets energy, defense, and aviation sectors.
The hacking group has been implicated in numerous cyber attacks since at least 2009 and has exploited Microsoft Exchange vulnerabilities as recently as early November, when it leveraged ransomware against targets primarily located in the United States.
The report states that the campaign scanned more than 370 U.S-based servers, including servers at the Department of Defense, while looking for vulnerabilities. It then exploited newly discovered vulnerabilities in a password management and single sign-on solution, ManageEngine ADSelfService Plus.
Once exploited, malicious actors were able to move laterally into related systems, install a credential-stealing tool, and gather and exfiltrate sensitive files.
“Unit 42 believes that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization,” the report reads.
News of the attack closely follows a warning by the National Counterintelligence and Security Center that China’s communist regime is engaged in a comprehensive campaign to acquire critical and emerging technologies from the United States through legal, quasi-legal, and illegal means. U.S. technologies are critical to the development of many of China’s own weapons programs, and state-sponsored groups in China and those linked to the Chinese military have been accused of stealing data globally.
Such threats to the nation don’t necessarily require feet on the ground, as was recently demonstrated by a report that an ongoing pro-China influence operation previously attempted to physically mobilize protestors in the United States by leveraging fake social media accounts across 70 websites, including Facebook, Twitter, and YouTube.
The agencies breached in the campaign haven’t yet been publicly identified.