Suspected spies using similar tools and tactics to a Chinese government-connected hacking group compromised nine organizations in the defense, education, energy and health care industries across the globe beginning in September, according to new research.
The hackers were “indiscriminate” in targeting that included parts of the U.S. Defense Department, according to Palo Alto Networks, which published its findings on Sunday with an assist from the National Security Agency’s Cybersecurity Collaboration Center. That center primarily works with defense contractors to collect and share threat information.
At least one of the victims was a U.S. organization, Palo Alto Networks said, but didn’t name the nine compromised entities. The company “believes that the actor’s primary goal involved gaining persistent access to the network and the gathering and exfiltration of sensitive documents from the compromised organization.”
The research comes on the heels of a Sept. 16 warning from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, in conjunction with the FBI and U.S. Coast Guard Cyber Command. It warned that likely foreign government-backed hackers were actively exploiting a vulnerability in Zoho’s ManageEngine ADSelfService Plus, a password management product. Zoho issued a patch for the vulnerability on Sept. 6.
While CISA didn’t identify the suspected hackers then, Palo Alto Networks says that a separate campaign targeting the same vulnerability began shortly after the alert, on Sept. 22, and likely continued through early October. CNN first detailed the findings.
Although the company said it couldn’t say with certainty who was behind the apparent espionage campaign, the hackers used tools and tactics similar to those of a Chinese hacking group alternately known as Emissary Panda, APT27 and Threat Group 3390. It’s a group that has been noted for its flexibility in refurbishing old tools and for targeting more than just the West, and perhaps has begun dabbling in ransomware.
The overlap includes the use of a modified Chinese-language webshell, or script that hackers rely on to make sure they’re able to stay inside their targets. The hackers scanned hundreds of potential targets, Palo Alto Networks said. “At least 370 U.S. organizations were included in fairly broad scanning to identify vulnerable Zoho servers,” the company said.
Rob Joyce, director of cybersecurity at the National Security Agency, touted the report over the weekend.
Review this blog and check your networks for IOCs related to this ongoing malicious activity. Actionable threat sharing among public-private partners makes a difference against adversary intrusions. Good work by all involved! https://t.co/uLEtkrPGNf
— Rob Joyce (@NSA_CSDirector) November 8, 2021
U.S. officials stepped up public pressure on China in July over cyber espionage, blaming Beijing for exploiting flaws in Microsoft Exchange Servers and in so doing, enabling ransomware attacks on tens of thousands of victims. China has routinely denied such allegations.