A cyber attacker who has been making an advanced persistent threat on one European drone maker has been spotted and is believed to be based in China. The cyber attacker is also believed to have been going against a subsidiary of a French energy management company.
ThreatConnect, a threat intelligence firm managed to analyze the attacks, but they mentioned that they could not properly determine which of any of the hacking groups was behind the hacking campaign.
The main suspects at the moment, that the company believes are at fault is the Emissary Panda group, which in some circles is also known to be APT27 and TG-3390 or also Dynamite Panda which has other names such as APT18, Wekby and TG-0416. At the moment it’s hard to note if the hackers were able to steal any data from the organizations that they had targeted.
The security firm started analyzing the attacks back in June after they had come across one variant of the HttpBrowser backdoors. The backdoor was already leveraged by the Emissary Panda and the Dynamite Panda. The groups are said to have used the adobesys[dot]com domain for their command and control of the communications for the malware.
The email address which registered the domain was also seen at a Chinese domain reseller and was used to register some domains which were involved during the Anthem and OPM attacks. Both of these attacks were said to have come out of China too.
Security researchers believe that both Emissary Panda and Dynamite Panda have been targeting the aerospace and defense departments lately, but Emissary Panda is the one known in most cases to attack the energy industry.
Back in September 2015, the current US President, Barack Obama and the Chinese counterpart, President Xi Jinping bot h agreed at the time to stop cyber espionage attacks for the economic gain of the other. The agreement worked a treat for a while, but some espionage attacks still emanate from China’s mainland. FireEye announced in June that Chinese spying in general had dropped in numbers, but they had started becoming more focused about it.
The French energy management firm subsidiary which was attacked was apparently at one time contracted to the US government, together with the Department of Defense. The espionage of an energy company could be seen as a violation of the agreement that China and US had in 2015, though you would assume China would put it under military espionage.
However, pertaining to the drone manufacturer who was targeted, the attack could have been economically motivated. Currently, China has the DaJiang Innovation Technology (DJI) and is considered to be one of the largest drone makers as they have 70 percent of the market share, therefore if they target a European competitor they could then be able to maintain their position as a leader in the sector.