APT26 engages in cyber operations where the goal is intellectual property theft, usually focusing on the data and projects that make a particular organization competitive within its field.
Name: China Turbine Panda (CrowdStrike), APT26 (Mandiant), Shell Crew (RSA), WebMasters (Kaspersky), KungFu Kittens (FireEye), Group 13 (Talos), PinkPanther (RSA), Black Vine (Symantec), Bronze Express (SecureWorks), JerseyMikes (?)
Location: China
Suspected attribution: State-sponsored, the Jiangsu Bureau of the MSS (JSSD)
Date of initial activity: 2010
Targets: Aerospace, Defense, and Energy sectors, among others.
Motivation: Information theft and espionage Financial crime
Associated tools: Cobalt Strike, Derusbi, FormerFirstRAT, Hurix, Mivast, PlugX, Sakula RAT, StreamEx, Winnti, Living off the Land.
Attack vectors: The group frequently uses strategic web compromises to gain access to target networks and custom backdoors once they are inside a victim environment.
How they work: Attack and IE 0day Information Used Against Council on Foreign Relations. Regarding information’s posted on the Washington Free Beacon, infected CFR.org website was used to attack visitors in order to extract valuable information’s. The “drive-by” attack was detected around 2:00 pm on Wednesday 26 December and CFR members who visited the website between Wednesday and Thursday could have been infected and their data compromised, the specialists said. Capstone Turbine Corporation Also Targeted in the CFR Watering Hole Attack.
Chinese Intelligence Officers and Their Recruited Hackers and Insiders Conspired to Steal Sensitive Commercial Aviation and Technological Data for Years.
During recent engagements, the RSA IR Team has responded to multiple incidents involving a common adversary targeting each client’s infrastructure and assets. The RSA IR Team is referring to this threat group internally as “Shell_Crew”; however, they are also referred to as Deep Panda, WebMasters, KungFu Kittens, SportsFans, and PinkPanther amongst the security community.
