Threat Group-3390, a group that is suspected to be headquartered in the People’s Republic of China, is hard at work obtaining confidential data on US defense manufacturing projects.
The group, dubbed Emissary Panda, was uncovered by Dell SecureWorks Counter Threat Unit (CTU) researchers. They found that the group is also targeting other industry verticals and attacking organizations involved in international relations. The group extensively uses long-running strategic web compromises (it has compromised approximately 100 sites so far for watering-hole tactics), and relies on whitelists to deliver payloads to select victims.
“CTU researchers have evidence that the threat group compromised US and UK organizations in the following verticals: manufacturing (specifically aerospace (including defense contractors), automotive, technology, energy and pharmaceuticals), education and legal, as well as organizations focused on international relations,” Dell CTU noted in its analysis. “Based on analysis of the group’s SWCs, TG-3390 operations likely affect organizations in other countries and verticals.”
In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger. After the initial compromise, TG-3390 delivers the HttpBrowser backdoor to its victims. The threat actors then move quickly to compromise Microsoft Exchange servers and to gain complete control of the target environment.
From there, they target key data stores and selectively exfiltrate the high-value information associated with their goal.
CTU researchers recommend the following practices to prevent or detect TG-3390 intrusions: Search Web log files for evidence of Web server scanning; require two-factor authentication for all remote access solutions; and audit ISAPI filters and search for Web shells on Microsoft Exchange servers.
The threat actors have used the Baidu search engine, which is only available in Chinese, to conduct reconnaissance activities.
CTU researchers have observed the threat group obtaining information about specific US defense projects that would be desirable to those operating within a country with a manufacturing base, an interest in US military capability, or both.
“TG-3390 is known for compromising organizations via SWCs and moving quickly to install backdoors on Exchange servers,” CTU researchers noted. “Despite the group’s proficiency, there are still many opportunities to detect and disrupt its operation by studying its modus operandi. The threat actors work to overcome existing security controls, or those put in place during an engagement, to complete their mission of exfiltrating intellectual property. Due to TG-3390’s determination, organizations should formulate a solid eviction plan before engaging with the threat actors to prevent them from reentering the network.”