Who is Emissary Panda and How Can You Protect Yourself?

Emissary Panda is a Chinese advanced persistent threat group notorious for using strategic Web compromises to target victims.

The group has been around since 2010 and is still highly active to this day—attacking governments and multinational corporations worldwide.

Cyber attacks are increasing at an alarming rate! Does your company have effective cybersecurity tools and systems to mitigate breaches? TeamPassword allows you to protect your company's digital assets with a secure password management tool.

‏‏‎ ‎

Try our 14-day free trail to protect yourself

‏‏‎ ‎

Who is Emissary Panda?

Emissary Panda is a Chinese cyberespionage group that primarily targets aerospace, government, defense, technology, energy, and various manufacturing sectors.

Emissary Panda has been active since at least 2010 when they breached US defense contractors stealing terabytes of data!

The group is highly active in the Middle East and Asia and regularly attacks NATO allies, including the United States.

Emissary Panda got its name from the security firm CrowdStrike. "Emissary" being the group's codename, while "Panda" refers to a Chinese advanced persistent threat.

Emissary Panda Aliases

Emissary Panda goes by several aliases, including:

  • TG-3390
  • BRONZE UNION
  • APT27 (Advanced Persistent Threat 27 - US federal government classification)
  • Iron Tiger
  • LuckyMouse
  • TEMP.Hippo
  • Red Phoenix
  • Budworm
  • Group 35
  • ZipToken

Emissary Panda has collaborated with other Chinese cyberespionage groups, including Turbine Panda, Deep Panda, and APT26.

‏‏‎ ‎

What does Emissary Panda do?

Emissary Panda attacks government institutions and multinational organizations to steal state secrets and intellectual property.

The group is famous for installing web shells through software vulnerabilities and then installing multiple "backdoors," making it difficult to eradicate the attackers from a system.

Emissary Panda's malware and trojans are highly advanced, making it near impossible to detect the group or its movements through a network. The attackers use various pieces of malware to provide remote access, install backdoors, and hide their tracks by deleting user activity logs.

In some instances, Emissary Panda uses a mix of software vulnerabilities and spear-phishing to breach networks.

What makes Emissary Panda unique is the group's well-planned operations, often working for years before breaching their final target.  

Until 2020, Emissary Panda's primary focus was cyber espionage and intelligence gathering. But since 2020, investigators have linked Emissary Panda to multiple ransomware attacks.

‏‏‎ ‎

Famous Emissary Panda Attacks

Emissary Panda is a highly active group, constantly attacking organizations to steal information. These are just a few examples of Emissary Panda's attacks but showcase the sophisticated level of planning and execution.

Operation "Iron Tiger" - 2010 - 2013

Emissary Panda's first major attack was against a US defense contractor in 2013. But the operation started in Asia in 2010.

The group managed to steal a significant amount of military data, including emails, intellectual property, and strategic planning documents.

Iron Tiger was a well-coordinated cyberespionage operation spanning two continents with targets in Hong Kong, China, Tibet, the Philippines, and the United States.

In 2010, the attackers used spear-phishing attacks to target victims in China, Hong Kong, the Philippines, and Tibet. After breaching a system, Emissary Panda would lie silently, gathering intelligence.

After three years, Emissary Panda had the information it needed to go after bigger fish, mostly technology contractors for the United States government. 

By the end of Operation "Iron Tiger," Emissary Panda had stolen terabytes of data, most of it from the United States. The sensitivity of this data posed a severe threat to US intelligence and military organizations. 

Multiple Watering-Hole Attacks - 2015

In 2015, Dell SecureWorks unveiled a report at the Black Hat information security conference in Las Vegas. 

The report detailed how Emissary Panda used more than 100 legitimate websites (for watering-hole attacks) to breach at least 50 US and UK organizations. 

Emissary Panda relied on program vulnerabilities to inject malicious code into legitimate websites—mostly embassies and NGOs. Visitors would use the website as usual but navigating from one page to the next would automatically download an exploit onto the user's device.

The exploit would automatically set up a web shell for Emissary Panda to access the PC while at the same time creating backdoors and erasing user logs to remain undetected.

Emissary Panda spent time gathering intelligence and stealing credentials as they moved laterally through systems and networks. In some cases, they used spear-phishing attacks sent from legitimate email addresses to access other networks and organizations.

Emissary Panda's First Known Ransomware Attack - 2020

In 2020, Emissary Panda switched from cyber espionage to ransomware attacks—a highly unusual move for a typical advanced persistent threat group. The group targeted multiple gaming companies worldwide, breaching at least one.

The breach started at a third-party supplier, twice removed from the actual target before Emissary Panda eventually broke into the gaming company.

The group installed web shells and created multiple backdoors making it impossible to remove the attackers.

It's unclear who the gaming company was or whether or not they paid a ransom.

This attack shows that Emissary Panda is capable and willing to engage in all sorts of cybercrimes and not just gather intelligence.

‏‏‎ ‎

How Can You Protect Yourself Against Cyber Attacks?

Preventing a group like Emissary Panda is extremely difficult. These attackers rely on software vulnerabilities and human error to breach a target—often trying multiple attempts over many months and years.

The first step to prevent these sorts of attacks is for companies to update software and firmware regularly. These updates provide crucial bug fixes—the types of vulnerabilities that groups like Emissary Panda use to stage an attack.

Effective cybersecurity is essential for small businesses, especially if you work with contractors and freelancers. We learn from Emissary Panda that cyber criminals often attack 3rd party providers to gain access to bigger fish.

‏‏‎ ‎

Secure Your Business with TeamPassword

TeamPassword is a password manager designed for secure account authentication and safe credential sharing. You never share raw passwords, eliminating the risk of authorized access or sharing.

With TeamPassword, you can create groups for various accounts, so you only provide access to those who need it. When a team member no longer needs access, simply remove them with one click.

The password manager comes with two-factor authentication, preventing a full breach if attackers steal a user's credentials. TeamPassword also features an activity log, and you can set up email notifications for every action on the password manager.

Protect your company's digital assets with TeamPassword. Get a 14-day free trial to test our robust password management tool with your team today!