China-linked ‘Electric Panda’ hackers seek U.S. targets, intel agency warns. The warning comes as tensions rise between the U.S. and Chin...
China-linked ‘Electric Panda’ hackers seek U.S. targets, intel agency warns. The warning comes as tensions rise between the U.S. and China over the spread of Covid-19.
Nearly 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1, according to a bulletin disseminated to contractors by the Defense Counterintelligence and Security Agency on Wednesday.
The bulletin, obtained by Science Techniz, is marked “unclassified/for official use only” and warns that DCSA’s cyber division detected nearly 600 “inbound and outbound connections” from “highly likely Electric Panda cyber threat actors” targeting 38 cleared contractor facilities, including those specializing in health care technology.
“Electric Panda” is not a widely accepted designation for a state-sponsored hacking group, cyber experts said, but the cybersecurity firm CrowdStrike has attributed Electric Panda to the Chinese government, the bulletin notes. The term “connections” is also pretty vague, experts noted, but former National Security Agency researcher Dave Aitel said the detection of both inbound and outbound activity likely means the U.S. managed to penetrate the command and control machines that Electric Panda was using.
Cleared contractor facilities often receive warnings about hacking attempts from the FBI and DCSA, but the notices rarely attribute the malicious activity to a specific group or nation-state as the DCSA did with Electric Panda, one employee at a firm that contracts for the intelligence community said.
The warning comes as tensions rise between the U.S. and China over the spread of Covid-19, with U.S. intelligence agencies examining the possibility that the virus was accidentally leaked from a lab in Wuhan. There is currently no evidence to support that theory, two people familiar with the matter told media on Thursday.
The so-called Electric Panda group is not new — it seems to have been operating since at least 2016, according to one of the indicators listed by DCSA. And Karim Hijazi, CEO of cyber firm Prevailion, said he found two malware types associated with the group’s activity — one of which, Fireball, is definitively Chinese in origin — that were referenced as early as 2017 by the cyber firms Checkpoint and Unit 42.
But since Feb. 1, the group has been targeting contractors that specialize in cybersecurity, aerospace, naval, health care, power generation, IT systems, telecommunications, risk analysis, and space systems, the bulletin says — basically, a list of industries any sophisticated nation-state actor would want to hit, said Aitel, now the CTO of Cyxtera Technologies.
The purported attempts on health care-focused contractors are particularly concerning given the current pressure on the health care system to care for the crush of Covid-19 patients across the U.S. The cybersecurity firm FireEye wrote last week that “though we have no reason to believe there is a sudden, elevated threat to healthcare, the criticality of these systems has probably never been greater, and thus the risk to this sector will be elevated throughout this crisis.”
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre warned in a joint statement last week that APT groups — which are typically directed by a nation-state, like Electric Panda — and cybercriminals were trying to exploit the pandemic.
“APT groups are using the COVID-19 pandemic as part of their cyber operations,” the statement reads. “These cyber threat actors will often masquerade as trusted entities. Their activity includes using coronavirus-themed phishing messages or malicious applications, often masquerading as trusted entities that may have been previously compromised. Their goals and targets are consistent with long-standing priorities such as espionage and ‘hack-and-leak’ operations.”
FireEye also warned earlier this month that the number of attempted phishing attacks quadrupled in March, when stay-at-home orders were put in place and the U.S. workforce overwhelmingly shifted to teleworking. Another China-based adversary known as Pirate Panda has shifted its tactics according to what receives global media attention, according to a CrowdStrike analysis.
In January, it was deploying malware related to the death of Iranian General Qassem Soleimani; by late February, it was sending out fake health reports about coronavirus that mimicked the World Health Organization’s daily updates. China-based groups are not the only ones exploiting the pandemic, however — North Korea and Russia have also been using Covid-19 themes as a lure in cyberattacks to advance their long-term espionage campaigns, according to FireEye.
“It is clear that adversaries expect us to be distracted by these overwhelming events,” the firm wrote. “The greatest cyber security challenge posed by COVID-19 may be our ability to stay focused on the threats that matter most.”