A group of security researchers has released new information on one of China’s most notorious hacking groups, showing how they exploit various enterprises, how quickly they move in internal networks and how hard it is to remove them once they gain access.
Researchers from Dell SecureWorks have released information Wednesday detailing how Threat Group 3390, also referred to as Emissary Panda, conducts its operations from beginning to end. Over two years, SecureWorks’ Counter Threat Unit observed the group infecting the websites of more than 100 different organizations, specifically targeting U.S. and U.K. entities. Among those affected were auto, electronic, aircraft, pharmaceutical and energy companies, as well as defense contractors and political organizations.
The threat group has been observed using strategic Web compromises – more commonly known as a “watering hole” – hooking an exploit onto a website that is often visited by a coveted target, such as a supplier or nongovernmental organization. After hooking an exploit onto a site, the group monitors IP addresses to figure out which are worth attacking. Once an IP address is discovered, the group deploys the exploit, often attacking through holes in Java, Flash or other Adobe products that have been unpatched for years.
Once inside a network, the group methodically moves to find intellectual property. Once data tied to certain product or program is found, it’s completely removed.
“They look through documents and information that’s on the victim’s network and go ‘I need that, and that, that,’ and hoover up every piece of info they can,” SecureWorks’ Elizabeth Clarke said.
Beyond that, the group moves lightning quick to make sure once they are inside a network, they create ways to stay there. The group often turns to search engines to find Outlook Web Access logins and will login into those portals via a mix of the information they’ve already collected and brute force attacks.
“We’ve seen them move from initial compromise to having full access of the network in 6 hours,” Andrew White, a researcher with Dell SecureWorks, told Cyberscoop.
The group has been documented by other security firms in years past: CrowdStrike first determined the group was using watering holes in a 2013 report. Other groups have tied Emissary Panda to previous hacks of the websites of the Labor Department and Russian’s embassy in the U.S.
White and his team could not attribute the group to any government-based Chinese entity, like the People’s Liberation Army. He did say SecureWorks believes they are coordinating with other threat groups, observing the use of tools that have shown up in other hacks attributed to China.
China’s role in hacks around the world has come under increased scrutiny, particularly in the wake of the hack at the Office of Personnel Management. High-ranking officials have attributed that attack to China, but the White House has been reluctant to publicly label the country as responsible.
White told FedScoop this particular group continues to use watering holes that exploit old vulnerabilities because they continue to work.
“I wish could I say that this sort of thing is surprising, but this is the way that groups are getting into networks, through poor security configuration and poor patching,” White told FedScoop. “It’s not an uncommon aspect.”
SecureWorks advises IT shops to patch any outstanding Java or Flash vulnerabilities, as well as mandate the use of two-factor authentication for Web-based Outlook exchanges or corporate VPNs. Without it, it could be weeks before organizations realize they never removed the group in the first wave of containment and eviction.
“They will come back in,” White said. “We’ve seen them work through their previous tools and then go search engines for other ways on to the network.