APT26 (Turbine Panda) – China

Overview

APT26 engages in cyber operations where the goal is intellectual property theft, usually focusing on the data and projects that make a particular organization competitive within its field.

Targets

Aerospace, Defense, and Energy sectors, among others.

Attack vectors

The group frequently uses strategic web compromises to gain access to target networks and custom backdoors once they are inside a victim environment.

How they work

Attack and IE 0day Information Used Against Council on Foreign Relations. Regarding information’s posted on the Washington Free Beacon, infected CFR.org website was used to attack visitors in order to extract valuable information’s.

The “drive-by” attack was detected around 2:00 pm on Wednesday 26 December and CFR members who visited the website between Wednesday and Thursday could have been infected and their data compromised, the specialists said. Capstone Turbine Corporation Also Targeted in the CFR Watering Hole Attack.

Chinese Intelligence Officers and Their Recruited Hackers and Insiders Conspired to Steal Sensitive Commercial Aviation and Technological Data for Years.

During recent engagements, the RSA IR Team has responded to multiple incidents involving a common adversary targeting each client’s infrastructure and assets.

The RSA IR Team is referring to this threat group internally as “Shell_Crew”; however, they are also referred to as Deep Panda, WebMasters, KungFu Kittens, SportsFans, and PinkPanther amongst the security community.

References:

• Advanced Persistent Threats (APTs) – APT26
• Chinese Intelligence Officers and Their Recruited Hackers and Insiders Conspired to Steal Sensitive Commercial Aviation and Technological Data for Years