arstechnica.com Open in urlscan Pro
3.13.161.146  Public Scan

Form analysis
1 forms found in the DOM

GET /search/

<form action="/search/" method="GET" id="search_form">
  <input type="hidden" name="ie" value="UTF-8">
  <input type="text" name="q" id="hdr_search_input" value="" aria-label="Search..." placeholder="Search...">
</form>

Text Content

Skip to main content
 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums

Subscribe

Close


NAVIGATE

 * Store
 * Subscribe
 * Videos
 * Features
 * Reviews

 * RSS Feeds
 * Mobile Site

 * About Ars
 * Staff Directory
 * Contact Us

 * Advertise with Ars
 * Reprints


FILTER BY TOPIC

 * Biz & IT
 * Tech
 * Science
 * Policy
 * Cars
 * Gaming & Culture
 * Store
 * Forums


SETTINGS

Front page layout


Grid


List


Site theme

light

dark

Sign in

BIZ & IT —


NEWLY DISCOVERED CHINESE HACKING GROUP HACKED 100+ WEBSITES TO USE AS “WATERING
HOLES”


EMISSARY PANDA GROUP PENETRATED THE NETWORKS OF INDUSTRIAL ESPIONAGE TARGETS.

Sean Gallagher - 8/5/2015, 9:00 PM

Emissary Panda wants to eat all the industrial data—and has hacked hundreds of
sites to target people with access to it.
Chen Wu

READER COMMENTS

23 with

LAS VEGAS—Today at the Black Hat information security conference, Dell
SecureWorks researchers unveiled a report on a newly detected hacking group that
has targeted companies around the world while stealing massive amounts of
industrial data. The majority of the targets of the hacking group were in the
automotive, electronic, aerospace, energy, and pharmaceutical industries. The
group, believed to be based in China, has also targeted defense contractors,
colleges and universities, law firms, and political organizations—including
organizations related to Chinese minority ethnic groups.

Designated as Threat Group 3390 and nicknamed "Emissary Panda" by researchers,
the hacking group has compromised victims' networks largely through "watering
hole" attacks launched from over 100 compromised legitimate websites, sites
picked because they were known to be frequented by those targeted in the attack.

At least 50 organizations in those industries in the US and the United Kingdom
had data stolen by members of Emissary Panda. Sites targeted included the
website of the Embassy of the Russian Federation in the US (as well as those of
other embassies and non-governmental organizations); government agency websites
around the world; manufacturing companies, many of whom were suppliers to
defense contractors; and the Spanish defense manufacturer Amper. A cultural site
for the Chinese Uyghur ethnic group was also used, apparently to target members
of the Muslim minority for surveillance.

No zero-day vulnerabilities were used to breach targeted networks, instead "the
group relied on old vulnerabilities such as CVE-2011-3544"—a near-year-old Java
security hole—"and CVE-2010-0738 to compromise their targets," Dell SecureWorks'
researchers reported. The group used a number of tools common to other Chinese
hacking groups, but they had a few unique tools of their own with interfaces
developed for Standard (Simplified) Chinese. One of these is the PlugX remote
access tool, "a notorious piece of malware linked to a number of attacks and to
another Threat Group, which researchers believe is also likely based out of
China," according to Dell SecureWorks researchers. It also appears the group
used China's Baidu search engine to perform reconnaissance on targets.

Advertisement


Visitors to sites exploited by Emissary Panda are directed by code embedded in
the sites to a malicious webpage, which screens their IP address. If the address
falls within ranges that the attackers are interested in, the malicious site
waits for their next page view to drop an exploit on the desirable target's PC.
(There has also been at least one victim targeted by a spear-phishing attack.) A
variety of malware, including the PlugX tool, was shared with other known
Chinese threat groups. But two tools used were unique to the group: ASPXTool, an
Internet Information Services (IIS) specific "Web shell" used to gain access to
servers inside a target's network; and the OwaAuth credential stealing tool and
Web shell, used to attack Microsoft Exchange servers running the Web Outlook
interface.

Once inside networks, the group generally targeted Windows network domain
controllers and Exchange e-mail servers, targeting user credentials to allow
them to move to other systems throughout the targeted network. They used an
exploit of Internet Information Server to inject keylogger and backdoor malware
onto the Exchange server. Getting into domain controller and Exchange servers
gave the attackers an opportunity to steal administrator and other high-level
credentials, and they could then quickly identify other points of interest and
move to compromise other systems on the network—often within just two hours of
the initial compromise.


ARS VIDEO


ARS LIVE EPISODE 10: TECH, IMMIGRATION AND BORDERS




READER COMMENTS

23 with
Sean Gallagher Sean was previously Ars Technica's IT and National Security
Editor, and is now a Principal Threat Researcher at SophosLabs. A former Navy
officer, systems administrator, and network systems integrator with 20 years of
IT journalism experience, he lives and works in Baltimore, Maryland.

Advertisement




CHANNEL ARS TECHNICA

UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

Today "Quantum Leap" series creator Donald P. Bellisario joins Ars Technica to
answer once and for all the lingering questions we have about his enduringly
popular show. Was Dr. Sam Beckett really leaping between all those time periods
and people or did he simply imagine it all? What do people in the waiting room
do while Sam is in their bodies? What happens to Sam's loyal ally Al? 30 years
following the series finale, answers to these mysteries and more await.

 * UNSOLVED MYSTERIES OF QUANTUM LEAP WITH DONALD P. BELLISARIO

 * UNSOLVED MYSTERIES OF WARHAMMER 40K WITH AUTHOR DAN ABNETT

 * SITREP: F-16 REPLACEMENT SEARCH A SIGNAL OF F-35 FAIL?

 * SITREP: BOEING 707

 * STEVE BURKE OF GAMERSNEXUS REACTS TO THEIR TOP 1000 COMMENTS ON YOUTUBE

 * MODERN VINTAGE GAMER REACTS TO HIS TOP 1000 COMMENTS ON YOUTUBE

 * HOW THE NES CONQUERED A SKEPTICAL AMERICA IN 1985

 * SCOTT MANLEY REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW HORROR WORKS IN AMNESIA: REBIRTH, SOMA AND AMNESIA: THE DARK DESCENT

 * LGR'S CLINT BASINGER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * THE F-35'S NEXT TECH UPGRADE

 * HOW ONE GAMEPLAY DECISION CHANGED DIABLO FOREVER

 * UNSOLVED MORTAL KOMBAT MYSTERIES WITH DOMINIC CIANCIOLO FROM NETHERREALM
   STUDIOS

 * US NAVY GETS AN ITALIAN ACCENT

 * HOW AMAZON’S “UNDONE” ANIMATES DREAMS WITH ROTOSCOPING AND OIL PAINTS

 * FIGHTER PILOT BREAKS DOWN EVERY BUTTON IN AN F-15 COCKPIT

 * HOW NBA JAM BECAME A BILLION-DOLLAR SLAM DUNK

 * LINUS "TECH TIPS" SEBASTIAN REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW ALAN WAKE WAS REBUILT 3 YEARS INTO DEVELOPMENT

 * HOW PRINCE OF PERSIA DEFEATED APPLE II'S MEMORY LIMITATIONS

 * HOW CRASH BANDICOOT HACKED THE ORIGINAL PLAYSTATION

 * MYST: THE CHALLENGES OF CD-ROM | WAR STORIES

 * MARKIPLIER REACTS TO HIS TOP 1000 YOUTUBE COMMENTS

 * HOW MIND CONTROL SAVED ODDWORLD: ABE'S ODDYSEE

 * BIOWARE ANSWERS UNSOLVED MYSTERIES OF THE MASS EFFECT UNIVERSE

 * CIVILIZATION: IT'S GOOD TO TAKE TURNS | WAR STORIES

 * SITREP: DOD RESETS BALLISTIC MISSILE INTERCEPTOR PROGRAM

 * WARFRAME'S REBECCA FORD REVIEWS YOUR CHARACTERS

 * SUBNAUTICA: A WORLD WITHOUT GUNS | WAR STORIES

 * HOW SLAY THE SPIRE’S ORIGINAL INTERFACE ALMOST KILLED THE GAME | WAR STORIES

 * AMNESIA: THE DARK DESCENT - THE HORROR FACADE | WAR STORIES

 * COMMAND & CONQUER: TIBERIAN SUN | WAR STORIES

 * BLADE RUNNER: SKINJOBS, VOXELS, AND FUTURE NOIR | WAR STORIES

 * DEAD SPACE: THE DRAG TENTACLE | WAR STORIES

 * TEACH THE CONTROVERSY: FLAT EARTHERS

 * DELTA V: THE BURGEONING WORLD OF SMALL ROCKETS, PAUL ALLEN'S HUGE PLANE, AND
   SPACEX GETS A CRUCIAL GREEN-LIGHT

 * CHRIS HADFIELD EXPLAINS HIS 'SPACE ODDITY' VIDEO

 * THE GREATEST LEAP, EPISODE 1: RISK

 * ULTIMA ONLINE: THE VIRTUAL ECOLOGY | WAR STORIES

More videos
← Previous story Next story →


RELATED STORIES




TODAY ON ARS

 * Store
 * Subscribe
 * About Us
 * RSS Feeds
 * View Mobile Site

 * Contact Us
 * Staff
 * Advertise with us
 * Reprints


NEWSLETTER SIGNUP

Join the Ars Orbital Transmission mailing list to get weekly updates delivered
to your inbox. Sign me up →



CNMN Collection
WIRED Media Group
© 2023 Condé Nast. All rights reserved. Use of and/or registration on any
portion of this site constitutes acceptance of our User Agreement (updated
1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars
Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from
links on this site. Read our affiliate link policy.
Your California Privacy Rights | Manage Preferences
The material on this site may not be reproduced, distributed, transmitted,
cached or otherwise used, except with the prior written permission of Condé
Nast.
Ad Choices



We and our partners store and/or access information on a device, such as unique
IDs in cookies to process personal data. You may accept or manage your choices
by clicking below or at any time in the privacy policy page. These choices will
be signaled to our partners and will not affect browsing data.More information
about your privacy


WE AND OUR PARTNERS PROCESS DATA TO PROVIDE:

Use precise geolocation data. Actively scan device characteristics for
identification. Store and/or access information on a device. Personalised ads
and content, ad and content measurement, audience insights and product
development. List of Partners (vendors)

I Accept
Show Purposes