Watering Hole Campaign Compromises More Than 50 Companies

Further research into one China-linked espionage group finds a network of more than 100 Websites, serving a variety of industries and government agencies, that have been compromised to infect targets with espionage trojans.

espionage group

An espionage group with links to China has systematically infected more than 100 Web destinations that are popular with a variety of industries and government agencies as part of a scheme to infect sensitive targets, managed-security firm Dell SecureWorks said on Aug. 5.

The team of spies, which Dell labeled "Threat Group 3390" and which security firm CrowdStrike calls "Emissary Panda," use sophisticated methods and detailed planning to infiltrate targets, Andrew White, senior security researcher with Dell SecureWorks' Counter Threat Unit, told eWEEK. By knowing which Websites their targets visit and compromising those sites, Threat Group 3390 has infected more than 50 companies in the automotive, electronic, aeronautical, pharmaceutical and oil-and-gas industries.

"They collect information on what data is on the network, and then they come back with a shopping list of what they are interested in, and exfiltrate the data," White said.

Espionage attacks have taken off in the past year. China-linked hackers have been tied to the breach of the Office of Personnel Management, which led to the exfiltration of files detailing the background checks on more than 22 million federal employees, contractors and job applicants. The same group has also been implicated in the breaches of health care insurer Anthem and United Airlines.

The group investigated by Dell SecureWorks is not new, but many of the details of their watering hole strategy were not previously known, White said. Security firm CrowdStrike noted the group's focus on embassies and dubbed it Emissary Panda.

While sophisticated, the group does not appear to exploit zero-day vulnerabilities, software flaws that have not yet been reported nor fixed, according to Dell SecureWorks' White. Instead, the attackers recycle exploits for software flaws that may be months, or even years, old.

"The exploits that they are using to get into these companies are nothing special," he said. "They count on companies not keeping their software up to date."

Dell SecureWorks believes that, even with 100 documented Web compromises, "it is seeing just a sliver of TG–3390's activity," according to the firm's analysis.

The researchers linked the group to China through an accumulation of circumstantial evidence, including the use of the PlugX remote access trojan, or RAT, popular in China, the groups operating hours that match China's daytime working hours and the use of the Baidu search engine for reconnaissance. The attackers also compromised an Uyghur cultural Website to use as a watering hole. The Chinese government has historically had an interest in the ethnic minority group.

Dell SecureWorks advised companies to look beyond just perimeter and endpoint defenses. Delving into access logs, especially privileged access logs, can help detect when attackers are moving from machine to machine inside the network perimeter. Restricting access to sensitive data and watching for the wholesale copying of information can also lead to earlier detection of breaches and limit the impact of a breach.

"There are a lot of things that companies can do to make it harder for the actor to move around, once they are inside," White said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...