Pierluigi Paganini September 17, 2015

Experts at Trend Micro uncovered the Operation Iron Tiger, a cyber espionage campaign carried out by Chinese hackers on United States Defense Contractors.

Security experts at Trend Micro have uncovered a new targeted attack campaign dubbed Operation Iron Tiger. Threat actors behind the Operation Iron Tiger have stolen trillions of data from defense contractors in the US. Stolen data include intellectual property, including emails and strategic planning documents and many other highly confidential information that could be used by attackers to destabilize an organization.

The experts speculate that the Iron Tiger Operation was carried out by the China-based group dubbed “Emissary Panda.”

“Operation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of data from defense contractors in the US, including stolen emails, intellectual property, strategic planning documents—data and records that could be used to destabilize an organization.” states a blog post published by Trend Micro.

In August 2015, researchers at Dell discovered that the Panda Emissary group used Watering hole attacks as the attack vector, they compromised websites popular with a target organization’s personnel.

The Panda Emissary (also known as TG-3390) targeted high-profile governments and organisations searching for defence aerospace projects.

The group is active at least since 2010 targeting organization in APAC, but since 2013 it is attacking high-technology targets in the US.

The experts consider the Panda Emissary a “highly competent and sophisticated group“, Trend Micro revealed to have seen them steal up to 58 GB worth of data from a single target.

“The Iron Tiger actors can be skilled computer security experts but sparingly used advanced techniques, given their weakly protected target networks. They do not follow a specific schedule when it came to launching attacks. Instead, they prioritize attacks based on a list of chosen targets.” states the experts.

The attackers used spear-phishing emails to carry on the attacks, the experts at Trend Micro analyzed in detail the accounts used by the hackers and the composition of the email messages (i.e. subject, language, message).

Trend Micro published a detailed report on the Operation Iron Tiger, the investigation allowed the experts to analyze the TTPs (Tactics, Techniques and Procedures  of the threat actor.

Below the key findings of the report:

• The group’s use of exclusive hacking tools and malware, such asdnstunserver, PlugX, Gh0st, to name a few
• The threat actor group’s use of public resources as Blogspot™ and the Google Cloud Platform™
• The group patched one of their compromised servers to avoid being hacked
• Key identification elements leading to at least one individual physically located in China
• The use of code-signing certificates of Korea-based security company SoftCamp Co., Ltd.
• The group’s list of targets, which include military defense contractors, intelligence agencies, FBI-based partners, and the US government
• Their use of a unique method to intercept  Microsoft Exchange credentials

Enjoy the full research paper entitled “Operation Iron Tiger: Exploring Chinese Cyber Espionage Attacks on US Defense Contractors.”

Pierluigi Paganini

(Security Affairs – Operation Iron Tiger, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]