For the last couple of weeks, we have been hearing about increased Chinese APT activity in APAC. One of the APT groups involved is Deep Panda (a.k.a. purple ghost, Kungfu Kitten), and the countries affected are India, Australia, and Vietnam. Deep Panda is among the older APT groups and has been around in one form or another since 2011. The group was among the first ones to be trained to target high-value targets and complex installations such as those connected with governments, telecom, defense, and parts of critical infrastructure.
Deep Panda’s primary mission is to snoop on official channels to exfiltrate data of importance to the group’s sponsors. Deep Panda is also known to maintain a very high level of interest in intercepting communication between various government departments including state secrets and data such as those linked to Covid-19 numbers (sometimes it harvests and transmits terabytes of data to global C&C servers which is handed over to a team that sorts the information manually). It has known links with other Chinese APT groups and has collaborated on at least one project with the notorious North Korean APT group Lazarus
Deep Panda uses a wide array of tools including multi-phase RATs and also uses various Zero Day exploits to push malware into target networks. Recently we came across many instances of the group trying to infect servers with the Fire Chili rootkit. Deep Panda’s expertise lies in running complex social engineering campaigns to lure multiple victims in the target organization to activate more lines of data interception.
In the last two weeks alone, Sectrio’s research team has come across Deep Panda’s footprints in our honeypots across Europe, Asia-Pacific, and North America. Cicada (a.k.a. APT10, Stone Panda) and Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416, or RedDelta) are the other Chinese APT groups that have become very active in the last few weeks. Mustang Panda is currently running an espionage campaign to target diplomatic missions, think tanks, and NGOs in several countries.
Why are the Chinese APT groups becoming more active of late?
In 28 of the 77 active honeypots run by Sectrio, a Chinese APT group activity was recorded. Some groups are also trying to access control systems linked to OT deployments as well as firmware connected with IoT devices. The increased wave of activity indicates rising sponsor interest in espionage and long-term reconnaissance on targets in addition to disruption.
In India, the activity of Deep Panda was logged against attacks on utility infrastructure. We first detected Deep Panda’s reconnaissance activity in November 2019 when the group launched an attempt to penetrate a power grid and a New Delhi-based think tank (later in June 2020). The group also ran a campaign to target Indian missions in a few countries through a phishing campaign using emails that were engineered to appear to have come from India’s External Affairs ministry. This group has been maintaining a very high level of interest in India, Vietnam, and Australia since at least 2014.
The increase in Chinese APT activity is connected to the ongoing retreat of Russian APT groups from cyberspace. Russian APT groups are now focusing only on a few sectors unlike earlier when they used to go after all critical infrastructure projects in target countries. Russian APT actors are now focusing more on energy infrastructure along with water and wastewater treatment plants and Maritime sectors. Russian groups are also bogged down by a huge spike in inbound cyberattacks on Russian targets and it does seem that their sponsors have now moved some of the APT groups to focus on either defending infrastructure or going after groups that are attacking Russia in cyberspace.
This has opened the door for Chinese APT groups to step in and increase their operations and these groups are exploiting the opportunity and replacing Russian APT groups in cyberspace. Going by the increase in the scale of operations, one can guess that the sponsors of Chinese APT groups are also providing these groups with more funds and manpower to continue their efforts and ramp up their operations.
It is only a matter of time before these groups diversify their operations and start logging more success. Enterprises and governments have to act with caution and diligence to keep such groups at bay.
Amplifying the voice of CISO
Haven’t filled up the CISO Peer Survey form yet? If not, you are missing a lot. Over 270 CISOs have already filled up this survey form. Fill up today and you will get a pre-release copy of the survey report complete with information, analysis, and commentary on areas such as:
- Cybersecurity budgets
- The latest strategies to keep threats at bay
- What tools are CISOs leveraging to secure their businesses?
- What has changed since Feb 24?
- How are organizations responding to emerging cybersecurity challenges
To make your opinion count, fill up the uniquely designed form here: CISO Peer Survey 2022
Talk to our cybersecurity experts today to get to know more about our IT-IoT-OT cybersecurity solutions and threat intelligence. Book here.
We invite all cybersecurity leaders across verticals and countries to participate in this survey. Your participation will enable us to turn the survey into a more participative and comprehensive effort: CISO survey 2022
Try our threat intelligence feeds for free for the next two weeks.