Panda is Not Cute Anymore

SecureIQLab’s threat intel and research team recently discovered a data dump purporting to belong to a Chinese company. The company in question was breached by an unknown entity that may have a grudge against the Chinese government. Upon closer examination, it appears that the breached company gets contracts from the Chinese government to do the bidding of the Chinese government. The Chinese government is not just controlling means of the production of cyber weapons such as zero-days, advanced phishing attacks, malicious code embedded in firmware, etc., but is also giving marching orders to the creators of the attack tools.

This mercantilist-socialist state nation is flexing its muscle in Asia by reaching for the low-hanging fruit: targets with no cyber hygiene and little to no functional cyber security defenses. This even includes some regional partners. Targets include national telecom companies and government agencies, among others. China is clearly flexing its muscles in researching, developing, and deploying cyber weaponry.

Further investigation of the infrastructures of the targets breached by this state-contracted entity reveals that multiple targets have telecom infrastructures that utilize a considerable amount of Chinese equipment (ZTE, Huawei). So, why bother with noisy RATs (remote access trojans) when stealthy attack technologies provide the master keys to the target infrastructure? The anonymous technology offers plausible deniability and frames someone else.

The current tools and data sets that have been leaked indicate that some of these trojans attempt to communicate to command-and-control servers, which can be blocked by firewalls that have deep packet inspection along with post-exploitation detection.

In the coming weeks, SecureIQLab will release the test results of advanced cloud firewall (ACFW) products. These results contain a thorough evaluation of post-exploitation and APT protection mechanisms as provided by these ACFWs.

A recommended best practice is to employ Geo-IP and domain blocking where communication with certain geographical regions is not required for your business continuity.