APT14 – Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors.
Name: Anchor Panda (CrowdStrike), APT 14 (Mandiant), Aluminum (Microsoft), QAZTeam (?)
Suspected attribution: State-sponsored, PLA Navy
Date of initial activity: 2012
Targets: Government, telecommunications, and construction and engineering. Embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.
Motivation: Information theft and espionage
Associated malware: Gh0st RAT, Poison Ivy, Torn RAT.
Attack vectors: APT14 threat actors do not tend to use zero-day exploits but may leverage those exploits once they have been made public. They may leverage a custom SMTP mailer tool to send their spear phishing messages. APT14 phishing messages are often crafted to appear to originate from trusted organizations.
How they work: CrowdStrike won’t share too many details about this adversary – as they don’t want to make it too easy for them – but they share some signatures specific to Anchor Panda in their blog post.
