U.S. Security Hacks Linked to Chinese Cyber-Espionage Group

A hacking group has compromised at least nine global organizations in the fields of technology, defense, energy and other key sectors as part of an apparent espionage campaign, a U.S. cybersecurity group has claimed.

Cybersecurity firm Palo Alto Networks said in a report published Sunday that in the U.S. alone, hundreds of organizations were targeted by hackers as part of an espionage effort that took place between late September and early October.

The hacking group compromised "at least nine global entities across the technology, defense, healthcare, energy and education industries," it said.

"Through global telemetry, we believe that the actor targeted at least 370 Zoho [software] ... in the United States alone," Palo Alto Networks said in its report. "Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defense entities."

The hacking group was able to compromise the entities by exploiting vulnerabilities in software used to manage network passwords, known as ManageEngine ADSelfService Plus, the post said.

"Ultimately, the actor was interested in stealing credentials, maintaining access and gathering sensitive files from victim networks for exfiltration," Palo Alto Networks noted.

The cybersecurity firm noted that while attribution is still ongoing, specific tools and methods used in the apparent hacking efforts are in line with those used by Chinese cyber-espionage group Emissary Panda, also known as TG-3390, APT 27 and Bronze Union.

"Specifically, as documented by SecureWorks in an article on a previous TG-3390 operation, we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called ChinaChopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller," Palo Alto Networks explained in its report.

"While the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling."

Emissary Panda, which has links to the Chinese government, has been active since at least 2010. It has previously targeted entities worldwide, including defense contractors in the U.S. and a European drone manufacturer. It has also staged attacks in Asia and the Middle East.

Ryan Olson, VP Threat Intelligence, Unit 42 at Palo Alto Networks said in a statement to Newsweek that "based on the tools and techniques used in this campaign we see an overlap with EmissaryPanda/APT27."

"Two of the tools used in the attack are open source and were designed for Chinese language users," added Olson, noting that the group is yet to make a "conclusive attribution" to a threat group for the campaign.

Last month, U.S. cybersecurity firm Crowdstrike said a hacking group with suspected ties to China compromised calling records and text messages across the globe. The company said the group, known as UNC1945 or LightBasin, has been active since at least 2016.

Update 11/09/21, 1:07 a.m. ET: This article was updated with comment from Palo Alto Networks.

A Chinese hacker monitors global cyberattacks
A member of the hacking group Red Hacker Alliance uses a website that monitors global cyberattacks on his computer at their office in Dongguan, China's southern Guangdong province, taken on August 04, 2020. Cybersecurity firm Palo Alto Networks said on November 7, 2021, that tools and methods used in recent hacking efforts appear to be similar to those used by Chinese cyber-espionage group Emissary Panda. NICOLAS ASFOURI / AFP/Getty Images