Who is Gothic Panda and how can you protect yourself?

Gothic Panda is a known Chinese state-sponsored cyberespionage group. The highly skilled attackers regularly use zero-day exploits to breach networks—a sophisticated hacking technique that takes weeks or months to execute.

The group has been operating since the mid-2000s attacking various state contractors in the United States and US government entities.

We saw a significant increase in cyber-attacks in 2020. Is your business protected?

‏‏‎ ‎

Sign up for a free 14-day TeamPassword trial and protect your company's digital assets from attacks!

‏‏‎ ‎

Who is Gothic Panda?

Gothic Panda is an advanced persistent threat group known to US Intelligence as APT3. Investigations revealed that Gothic Panda has direct links to the Chinese Ministry of State Security (MSS) and other Chinese agencies.

Until 2015, Gothic Panda's primary target was the United States. But, since March 2016, the group's focus shifted to Hong Kong, where they attacked political entities and critics of the Chinese Communist Party.

Gothic Panda Aliases

Gothic Panda goes by many aliases assigned by intelligence agencies and security firms.

  • APT3 (Advanced Persistent Threat 3 - US federal government classification)
  • Buckeye
  • TG-0110
  • Bronze Mayfair
  • UPS Team
  • Group 6
  • Pirpi

‏‏‎ ‎

What does Gothic Panda do?

Gothic Panda hacks tech, transportation, telecommunications, aerospace, and defense companies to steal intellectual property. 

In addition, the group attacks India, Vietnam, Hong Kong, the US, and NATO-aligned state entities to gather intelligence and steal state secrets.

Gothic Panda has an extensive range of tools and techniques to breach systems and networks. The group is especially good at zero-day exploits and spear-phishing attacks.

Once inside a system, Gothic Panda uses highly sophisticated tools to provide remote access, create multiple "backdoors," and remain undetected for months.

‏‏‎ ‎

Famous Gothic Panda Attacks

Due to the sensitive data and the high-level state entities Gothic Panda targets, we know little about many of the group's attacks.

Operation Clandestine Fox - 2014

Operation Clandestine Fox is one of Gothic Panda's first significant zero-day attacks. The group discovered an unknown vulnerability in Microsoft's Internet Explorer (IE), allowing them to get around the browser's security features.

By circumventing IE's security, Gothic Panda could infect a user's device through watering-hole attacks. The security vulnerability affected an Adobe Flash plugin for IE6 to IE11, but Gothic Panda targeted IE9 and IE10 users.

Disabling Adobe Flash meant you could use IE without worrying about the attack, but most people discontinued using Microsoft's browser until they fixed the problem—some never returned to IE!

Luckily, FireEye Research Labs found the zero-day exploit early. Still, it took several days for Microsoft to fix the vulnerability, and only a few users fell victim to Operation Clandestine Fox.

In a statement, Microsoft stated: "The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown."

Operation Clandestine Fox - Part 2 - 2014

Shortly after Microsoft fixed IE, Gothic Panda switched tactics to contacting US companies through a spear-phishing campaign. 

The perpetrators would first "friend" or "follow" a victim's friends and family on social media. Next, they would send direct messages (DMs) and emails pitching themselves as potential tech candidates looking for work.

The correspondence contained malicious links and attachments designed to provide Gothic Panda access to the user's device.

The tools and tactics were identical to Operation Clandestine Fox, leading investigators to believe the group had quickly changed its method of attack after the Microsoft patch on IE.

DoublePulsar Backdoor - 2016

In 2017, hacker group The Shadow Brokers leaked tools and zero-day exploits from "Equation Group," a suspected branch of the National Security Agency (NSA).

While there was no evidence to tie Gothic Panda to The Shadow Brokers leak in 2017, the group used variants of Equation Group's leaked tools in 2016 for cyberattacks in Belgium, Luxembourg, Hong Kong, Vietnam, and the Philippines.

Investigators believe that either Gothic Panda had stolen these tools earlier or The Shadow Brokers weren't the source of the 2017 leak.

C919 airplane - 2010 to 2015

A 2019 report from security firm CrowdStrike shows how the Chinese Ministry of State Security used multiple hacker groups, including Gothic Panda, to breach aviation and aerospace companies worldwide.

When hackers could not breach a target, the MSS recruited Chinese nationals working at these companies to install malware on the victim's network.

The MSS wanted to steal intellectual property to help a Chinese state-owned aerospace manufacturer build its C919 airplane. 

The operation was a success for China, but experts pointed out more than 20 parts and equipment on the C919 stolen from primarily European and American companies.

The United States indicted several Chinese nationals, but China hasn't responded to requests for extradition.

‏‏‎ ‎

Protect Your Business from Cyber Attacks

Cyber attacks are increasing at an alarming rate. We saw many significant data breaches in 2020, including the infamous SolarWinds attack and the CAM4 data leak.

More recently, we've seen how attackers breached T-Mobile, affecting around 40 million users!

Preventing attacks starts with educating employees about cybersecurity risks. Most attacks happen due to human error, so a well-educated, vigilant team will thwart most attacks.

Secondly, make sure you update software, firmware, and applications as soon as an update is released. These updates often fix zero-day exploits and other vulnerabilities groups like Gothic Panda use for attacks.

The next step is to protect your passwords. Using a password manager like TeamPassword allows you to share access safely without exposing passwords.

Instead of entering credentials, team members use one of TeamPassword's browser extensions (Chrome, Firefox, and Safari) to log in to social media, productivity tools, web apps, and other accounts your company uses.

You can create groups for sharing credentials and remove a team member when they no longer need access. This feature is fantastic for businesses that regularly share passwords with freelancers and contractors.

Instead of sharing multiple passwords, you share one key to unlock them all. TeamPassword has an activity log and email notifications so you can monitor user behavior and prevent unauthorized access.

Other TeamPassword security features include:

  • Two-factor authentication (2FA)
  • Built-in secure password generator
  • Advanced encryption technology

‏‏‎ ‎

TeamPassword offers a free 14-day trial for businesses to test the password manager's features with team members.