Goblin Panda is one of a handful of elite Chinese advanced persistent threat (APT) groups. Most Chinese APTs target the United States and NATO, but Goblin Panda focuses primarily on Southeast Asia.
The group is highly active, carrying out regular attacks since CrowdStrike first observed them in 2013.
Who is Goblin Panda?
Goblin Panda is one of China's most active cyberespionage groups—some speculate one of the most active APT groups in the world! The group carries out regular attacks in Southeast Asia and Japan but is most active in Vietnam.
Intelligence agencies and security firms have been unable to distinguish whether Goblin Panda works directly for the Chinese government or acts as a contractor.
Goblin Panda Aliases
Goblin Panda goes by several aliases, including:
What does Goblin Panda do?
Goblin Panda is famous for delivering exploits in Microsoft Office Word attachments which drop malware and trojans onto the victim's device upon opening.
The group targets its victims through researched spear-phishing email campaigns, sending personalized emails with document attachments.
These documents are usually specific to the region and user. For example, in Vietnam, Goblin Panda regularly creates fake "official" Vietnamese government documents written in Vietnamese.
The group's focus on Southeast Asia, South Korea, and Japan are to gather intelligence on China's neighbors in disputes over the contested waters and islands of the South China Sea.
Goblin Panda is also responsible for attacks in Europe, the United States, Australia, the Middle East, and Africa.
Famous Goblin Panda Attacks
Goblin Panda's primary targets are in defense, energy, and government entities. The group usually uses PlugX and HttpTunnel malware to create "backdoors"—tools and tactics that Chinese hacker groups commonly use.
The Philippines and Vietnamese Website Attacks - 2015
Goblin Panda (operating under 1937CN) went on a hacking spree in 2015, attacking around 1,000 websites in Vietnam and 200 in the Philippines.
The Vietnamese websites included 15 state-run websites and 50 education sites.
Attacks like these on Southeast Asian nations are common and often linked to Goblin Panda/1937CN.
Attacks on Multiple Vietnamese Airports - 2016
In 2016, Goblin Panda (operating under 1937CN) attacked 21 Vietnamese airports, including Hanoi's Noi Bai International Airport and Ho Chi Minh City's Tan Son Nhat International Airport.
The group took over public address systems, including loudspeakers and information screens, to communicate offensive language and Chinese propaganda about the South China Sea.
The airports had to disconnect the internet temporarily and complete check-ins, boarding, announcements, and flight information manually.
At the same time, 1937CN hacked and "defaced" Vietnam Airlines' website and managed to steal personal data for 411,000 passengers.
The motive for the 2016 attack was to send Vietnam and the Philippines a warning message—likely in connection with South China Sea's disputed waters.
This attack is exceptionally brazen and unusual for an advanced persistent threat. Most groups prefer covert operations and avoid revealing anything that could tie them back to their respective government.
Goblin Panda's messages through Vietnam's airports are very public threats to Southeast Asian nations from the Chinese government.
First Steps to Prevent Cyber Attacks
Cyberattacks have increased significantly since the start of the pandemic. As lockdowns continue and people get desperate, we'll likely see even more breaches and ransomware attacks.
You must have robust systems in place to prevent breaches and cyber attacks. Your team members are the first line of defense, so educating employees about cybersecurity must be a priority!
As sophisticated as a group like Goblin Panda might be, they still need to steal a user's password to access systems and networks.
Nearly all breaches happen because attackers manage to steal a team member's credentials. Securing your company's passwords is another crucial step to preventing breaches and unauthorized credential sharing.
Secure Password Management with TeamPassword
TeamPassword makes it safe and easy for small businesses to manage passwords. Sharing passwords via email, Slack, spreadsheets, and other unsecure methods, increases your risk of attack significantly!
With TeamPassword, you never share login credentials. Instead, each team member gets a TeamPassword account and then uses a browser extension (Chrome, Firefox, and Safari) to access applications, websites, and other accounts.
Groups and Sharing
TeamPassword lets you create unlimited groups for sharing access to accounts. For example, your social media group in TeamPassword would access your social media accounts and scheduling software.
If you need to hire a freelancer or contractor, simply add them to a group and remove them when they're done—no need to worry about changing passwords just because someone has left the team or company.
You can also use the same TeamPassword account for all of your client's digital assets. Keeping all your credentials in one place eliminates the risk of team members distributing passwords across spreadsheets, email, and Slack threads.
Activity Log & Email Notifications
Stay on top of team member activity and prevent unauthorized access and sharing with TeamPassword's activity log and email notifications.
TeamPassword lets you create instant email notifications for every action (logins, credential sharing, new accounts, and more)—allowing you to keep track of your most sensitive data.
Secure Unique Password Generator
Using the same password for multiple accounts makes it easy for hackers to take over your entire digital portfolio, FAST. Weak passwords are another common mistake small businesses make.
With TeamPassword's built-in secure unique password generator, you never have to worry about weak passwords or using the same credentials more than once.
The password generator lets you create secure passwords from 12-32 characters with uppercase, lowercase, numbers, and symbols.
Two-Factor Authentication (2FA)
Two-factor authentication (2FA) is crucial for keeping your TeamPassword account safe from hackers. TeamPassword uses Google Authenticator, available on all iOS and Android devices.
Even if attackers manage to steal an employee's TeamPassword credentials, 2FA will prevent them from accessing their account.