A criminal hacking ring believed to be based in China has used highly targeted attacks and years-old exploits to compromise at least 50 U.S. and U.K. organizations in search of valuable intellectual property, finds a new report from Dell SecureWorks.
Aimed at companies and organizations in the manufacturing, education, and legal sectors, the group designated TG-3390 first compromises third-party websites likely to be visited by the target’s employees — for example, the websites of supply-chain vendors.
Known as a watering hole attack, the tactic was also described in a 2013 report from CrowdStrike, which dubbed the perpetrators “Emissary Panda.” That group is likely the same as TG-3390, says a Dell SecureWorks researcher.
The new report sheds additional light on the tools and tactics the group uses. Using the compromised third-party websites, the hackers delivered malicious payloads only to visitors from certain IP addresses, narrowly focusing their efforts on specific target companies. Once inside, one of the group’s signatures is a selective exfiltration of data related to specific projects.
“A lot of groups do a smash and grab,” Dell SecureWorks researcher Andrew White told SDxCentral at the Black Hat conference in Las Vegas on Wednesday. “This is very selective.”
Though the group uses a previously unknown tool to target Microsoft Exchange servers, the majority of its tactics exploit well-known vulnerabilities in older versions of common software such as Java and Flash, says White. Software updates and proper configuration, perhaps the easiest security measures to implement, are routinely ignored by the majority of companies, a Cisco survey from earlier this year found.
To detect a breach by the group, White recommends checking for a web shell on Exchange servers — typically the group’s first target once they begin moving inside a network. Routinely searching web log files and requiring two-factor authentication are other prudent steps, he adds.
In addition to targeting corporate intellectual property, the TG-3390 hacking ring also deployed watering-hole attacks on the websites of Washington, D.C.-based foreign embassies, “likely to target U.S.-based users involved in international relations,” according to the Dell report.
“We believe that what we found was just a sliver of their total activity,” White says.