Incident Response, TDR

Threat group has stolen terabytes of data from U.S. targets since 2013

A crafty threat group believed to be based out of China has been observed stealing what could amount to terabytes of sensitive information from U.S. targets over the past couple of years.

According to a Trend Micro report, the group – known as “Emissary Panda” or “Threat Group-3390 (TG-3390)” – dates back to 2010 when it was observed focusing on political targets and government agencies in China, the Philippines and Tibet.

In 2013, the group's espionage activities shifted to U.S. defense contractors and other related U.S. organizations in a variety of technology heavy industries, including electric, aerospace, intelligence, telecommunications, energy and nuclear engineering.

Typically targeting directors and managers of these companies with a mix of spear phishing emails and preexisting and custom malware, the attackers have compromised what could be terabytes worth of emails, full Active Directory dumps, intellectual property, strategic planning documents, and budget or finance related content, the report said.

“The information taken varies and is very broad,” Christopher Budd, global threat communications manager at Trend Micro, told in a Wednesday email correspondence, noting it is unclear what the attackers plan to do with the data. “Some of the most noteworthy means of data theft involve bulk compromises of [Microsoft] Exchange servers, so any and all information passing through email could have been taken.”

In one instance, the group was able to extract 58GB worth of data from a single organization. Budd was unable to share more details on the attack; however, a screenshot of the archive that was included in the report showed folder names written in English, possibly hinting at the location of the organization.

Dell SecureWorks published a detailed analysis of the group in the beginning of August, and Budd said the latest Trend Micro research adds a broader historical context to the threat actors and also establishes the Chinese origins of the group with a higher degree of confidence.

“There is no specific evidence to show there's a state-sponsored connection” Budd said, going on to add that this “is another example of non-state actors engaged in political/military/espionage/corporate espionage activities. It highlights [that] the boundary between state and non-state actors continues to blur.”

Budd said the campaign illustrates how spear phishing continues to be a critical problem that is devastatingly effective, and he indicated that all industries should remain cautious since any organization can become a target – even if only to be used as part of an attack against another target.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.