Numbered Panda

Last updated
Numbered Panda
CountryFlag of the People's Republic of China.svg  People's Republic of China
Branch China Emblem PLA.svg People's Liberation Army
Type Cyber force
Advanced persistent threat
Role Cyber warfare
Electronic warfare
Engagements

Numbered Panda (also known as IXESHE, DynCalc, DNSCALC, and APT12) is a cyber espionage group believed to be linked with the Chinese military. [1] The group typically targets organizations in East Asia. [1] These organizations include, but are not limited to, media outlets, high-tech companies, and governments. [2] Numbered Panda is believed to have been operating since 2009. [3] However, the group is also credited with a 2012 data breach at the New York Times. [4] One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. [5] The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. [3] Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection. [1]

Contents

Discovery and security reports

Trend Micro first reported on Numbered Panda in a 2012 white paper. [5] Researchers discovered that the group launched spear phishing campaigns, using the Ixeshe malware, primarily against East Asian nations since approximately 2009. [5] CrowdStrike further discussed the group in the 2013 blog post Whois Numbered Panda. [2] This post followed the 2012 attack on the New York Times and its subsequent 2013 reporting on the attack. [4] In June 2014, Arbor Networks released a report detailing Numbered Panda's use of Etumbot to target Taiwan and Japan. [3] In September 2014, FireEye released a report highlighting the group's evolution. [1] FireEye linked the release of Arbor Network's report to Numbered Panda's change in tactics. [1]

Attacks

East Asian Nations (2009-2011)

Trend Micro reported on a campaign against East Asian governments, electronics manufacturers, and a telecommunications company. [5] Numbered Panda engaged in spear phishing email campaigns with malicious attachments. [5] Often, the malicious email attachments would be PDF files that exploited CVE - 2009-4324 ,CVE- 2009-09274 ,CVE- 2011-06095 , orCVE- CVE-2011-0611 vulnerabilities in Adobe Acrobat, Adobe Reader, and Flash Player. [5] The attackers also used an exploit that affected Microsoft Excel - CVE - 2009-3129. [5] The Ixeshe malware used in this campaign allowed Numbered Panda to list all services, processes, and drives; terminate processes and services; download and upload files; start processes and services; get victims’ user names; get a machine's name and domain name; download and execute arbitrary files; cause a system to pause or sleep for a specified number of minutes; spawn a remote shell; and list all current files and directories. [5] After installation, Ixeshe would start communicating with command-and-control servers; oftentimes three servers were hard-coded for redundancy. [5] Numbered Panda often used compromised servers to create these command-and-control servers to increase control of a victim's network infrastructure. [5] Using this technique, the group is believed to have amassed sixty servers by 2012. [5] A majority of the command-and-control servers used from this campaign were located in Taiwan and the United States. [5] Base64 was used for communication between the compromised computer and the server. [5] Trend Micro found that, once decoded, the communication was a standardized structure that detailed the computer's name, local IP address, proxy server IP and port, and the malware ID. [5] Researchers at CrowdStrike found that blogs and WordPress sites were frequently used in the command-and-control infrastructure to make the network traffic look more legitimate. [2]

Japan and Taiwan (2011-2014)

An Arbor Security report found that Numbered Panda began a campaign against Japan and Taiwan using the Etumbot malware in 2011. [3] Similar to the previously observed campaign, the attackers would use decoy files, such as PDF, Excel spreadsheets, or Word documents, as email attachments to gain access to victims' computers. [3] Most of the documents observed were written in Traditional Chinese and usually pertained to Taiwanese government interests; several of the files related to upcoming conferences in Taiwan. [3] Once the malicious file was downloaded and extracted by the victim, Etumbot uses a right-to-left override exploit to trick the victim to download the malware installer. [3] According to Arbor Security, the "technique is a simple way for malware writers to disguise the names of malicious files. A hidden Unicode character in the filename will reverse the order of the characters that follow it, so that a .scr binary file appears to be a .xls document, for example." [3] Once the malware is installed, it sends a request to a command-and-control server with a RC4 key to encrypt subsequent communication. [3] As was with the Ixeshe malware, Numbered Panda used Base64 encoded characters to communicate from compromised computers to the command-and-control servers. [3] Etumbot is able to determine if the target computer is using a proxy and will bypass the proxy settings to directly establish a connection. [3] After communication is established, the malware will send an encrypted message from the infected computer to the server with the NetBIOS name of the victim's system, user name, IP address, and if the system is using a proxy. [3]

After the May 2014 Arbor Security report detailed Etumbot, FireEye discovered that Numbered Panda changed parts of the malware. [1] FireEye noticed that the protocols and strings previously used were changed in June 2014. [1] The researchers at FireEye believe this change was to help the malware evade further detection. [1] FireEye named this new version of Etumbot HighTide. [1] Numbered Panda continued to target Taiwan with spear phishing email campaigns with malicious attachments. [1] Attached Microsoft Word documents exploited the CVE - 2012-0158 vulnerability to help propagate HighTide. [1] FireEye found that compromised Taiwanese government employee email accounts were used in some of the spear phishing. [1] HighTide differs from Etumbot in that its HTTP GET request changed the User Agent, the format and structure of the HTTP Uniform Resource Identifier, the executable file location, and the image base address. [1]

New York Times (2012)

Numbered Panda is believed to be responsible for the computer network breach at the New York Times in late 2012. [6] [4] The attack occurred after the New York Times published a story about how the relatives of Wen Jiabao, the sixth Premier of the State Council of the People's Republic of China, "accumulated a fortune worth several billion dollars through business dealings." [4] The computers used to launch the attack are believed to be the same university computers used by the Chinese military to attack United States military contractors. [4] Numbered Panda used updated versions of the malware packages Aumlib and Ixeshe. [6] The updated Aumlib allowed Numbered Panda to encode the body of a POST request to gather a victim's BIOS, external IP, and operating system. [6] A new version of Ixeshe altered the previous version's network traffic pattern in an effort to evade existing network traffic signatures designed to detect Ixeshe related infections. [6]

Related Research Articles

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed, but forwards mail sent to it to the user's real address.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

Author - Sidharth Lakra

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Fancy Bear, also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM or Forest Blizzard, is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on one of the buildings collapsed as a result of the explosion.

<span class="mw-page-title-main">Locky</span>

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

NetTraveler or TravNet is spyware that dates from 2004 and that has been actively used at least until 2016, infecting hundreds of often high-profile servers in dozens of countries.

BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a variety of plug-ins. A Russian-based group known as Sandworm is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word document or PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.

Havex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly". Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

Red Apollo is a Chinese state-sponsored cyberespionage group which has operated since 2006. In a 2018 indictment, the United States Department of Justice attributed the group to the Tianjin State Security Bureau of the Ministry of State Security.

Charming Kitten, also called APT35, Phosphorus or Mint Sandstorm, Ajax Security, and NewsBeef, is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

The Nitro hacking attacks were a targeted malware campaign in 2011 suspected to be a case of corporate espionage. At least 48 confirmed companies were infected with a Trojan called Poison Ivy that transferred intellectual property to remote servers. Much of the information known about these attacks comes from a white paper published by cybersecurity company Symantec.

Agent Tesla is a remote access trojan (RAT) written in .NET that has been actively targeting users with Microsoft Windows OS-based systems since 2014. It is a versatile malware with a wide range of capabilities, including sensitive information stealing, keylogging and screenshot capture. Since its release, this malicious software has received regular updates. It is sold as a malware-as-a-service, with several subscription options available for purchase. Campaigns involving Agent Tesla often start with phishing emails, masquerading as legitimate messages from trusted sources.

References

  1. 1 2 3 4 5 6 7 8 9 10 11 12 13 Moran, Ned; Oppenheim, Mike (3 September 2014). "Darwin's Favorite APT Group". Threat Research Blog. FireEye. Archived from the original on 18 July 2017. Retrieved 15 April 2017.
  2. 1 2 3 Meyers, Adam (29 March 2013). "Whois Numbered Panda". CrowdStrike. Archived from the original on 16 March 2016. Retrieved 15 April 2017.
  3. 1 2 3 4 5 6 7 8 9 10 11 12 "Illuminating the Etumbot APT Backdoor" (PDF). Arbor Networks. June 2014.
  4. 1 2 3 4 5 Perlroth, Nicole (2013-01-30). "Chinese Hackers Infiltrate New York Times Computers". The New York Times. ISSN   0362-4331. Archived from the original on 2017-04-30. Retrieved 2017-04-24.
  5. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Sancho, David; Torre, Jessa dela; Bakuei, Matsukawa; Villeneuve, Nart; McArdle, Robert (2012). "IXESHE: An APT Campaign" (PDF). Trend Micro. Archived (PDF) from the original on 2018-03-07. Retrieved 2017-04-15.
  6. 1 2 3 4 "Survival of the Fittest: New York Times Attackers Evolve Quickly « Threat Research Blog". FireEye. Archived from the original on 2018-05-21. Retrieved 2017-04-24.