Chinese cyber espionage group caught hacking defense, industrial base

A highly trained group of Chinese hackers is targeting defense, commercial and political organizations worldwide, pulling off sophisticated heists of sensitive information, according to new research out Wednesday.

Though Chinese cyberespionage has been well-documented, researchers from Dell SecureWorks Counter Threat Unit – a division of Dell tech company – say this group, nicknamed Emissary Panda by another research firm, has pulled off cyberattacks at a level of sophistication and specialization rarely seen before among Chinese hackers.

“In the instances we were able to observe them, they had very specific organizations and projects in mind that they were pursuing, and the broad spectrum of industry verticals they targeted indicated they were more of a surgical tool used to take specific things from specific organizations, rather than the smash and grab, take everything type,” said Aaron Hackworth, Dell SecureWorks senior distinguished engineer.

The research contradicts the conventional notion of Chinese cyberthieves, who are typically described as taking everything they can get their hands on.

“I liken them a bit to a drunk burglar,” FBI Director James Comey said of China’s hacking groups in a “60 Minutes” interview. “They’re kicking in the front door, knocking over the vase, while they’re walking out with your television set. They’re just prolific. Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.”

The group has been spotted before in 2013, turning the website of the Russian embassy in Washington and a Spanish defense firm into what’s called a watering hole attack – where the hackers turn the website against visitors to it to spread their malicious software.

Since then, Dell researchers have observed the hackers attacking a wide range of targets, including major U.S. defense contractors, aerospace firms, automakers, the energy sector, law firms handling sensitive business deals and political targets – including ethnic minorities in China.

Military still dealing with cyberattack ‘mess’

That last target, combined with the hours the group operates, the particular malicious software it uses and the use of search engine Baidu all give researchers a high degree of confidence the culprits are Chinese, Dell said. They didn’t connect the group to the Chinese government, but most Chinese cyber groups are considered by industry experts to be working for Beijing.

Not only were they able to break into the companies, but were able to steal sensitive data, as well.

Hackworth couldn’t reveal any names of the victims, but said researchers personally observed more than 100 watering hole traps on websites worldwide and identified 50 targets in the U.S. and U.K. He estimated what Dell could monitor was only a sliver of what the group was accomplishing.

“I would go as far as to say that the amount and type of data that was stolen is of concern both to our industrial base and our defense programs,” Hackworth said.

Once the groups managed to make an initial foray into an organization’s networks, within hours they were able to access credentials that gave them “full run of the place,” Hackworth said. They would then spend days or weeks making detailed lists of everything on the network that might have value, returning finally to take only a select few items.

Opinion: Why the cyberattacks keep coming

It was that precision, combined with a sophisticated organizational structure, that makes researchers believe they are dealing with a group that is the best of the best.

“It almost feels like they were tasked for specific things,” Hackworth said, adding that even after the hackers were discovered and kicked out of networks, they found a way back in. “The tenacity of these groups is something often overlooked in these reports; they don’t stop. If you’re a target of interest, that interest doesn’t stop when you wipe the malware off the computers. … They’re going to continue to pursue it regardless of what the defenders do.”