Mustang Panda is a Chinese cyberespionage group that primarily targets non-governmental organizations (NGOs) and US think tanks. It's unclear whether Mustang Panda operates independently or works for the Chinese government.
The group is somewhat creative in its ability to use legitimate software and tools to mask the deployment of malware and trojans.
Keep your passwords safe from bad actors like Mustang Panda. Sign up for a TeamPassword trial and prevent attackers from breaching your digital assets.
Try our 14-day free trial and start protecting yourself today with TeamPassword
Who is Mustang Panda?
Mustang Panda was first discovered in 2017 by CrowdStrike, but there are indications that the group has been active since as early as 2014.
Mustang Panda attacks government entities and NGOs, especially those critical of China. The group has a preference for NGOs working on social, humanitarian, and environmental policies.
These NGOs often challenge government policies, so it makes sense that state entities (not just China) would attempt to spy on these organizations. They may want to find out protected sources, sensitive research information, steal intellectual property or even discredit the NGO's work.
Most of Mustang Panda's operations are in Southern and Southeast Asia but are particularly active in Mongolia. The group has also attacked NGOs, religious institutions, and think tanks in the United States, the United Kingdom, Australia, and Europe.
Mustang Panda Aliases
Here is a list of Mustang Panda aliases assigned by intelligence agencies and security firms:
- Bronze President
- Red Lich
- RedDelta (Some security analysts are unsure if RedDelta is, in fact, Mustang Panda. But there are a lot of similarities. Only a few toolsets and minor tactics differ.)
What does Mustang Panda do?
Mustang Panda's primary objective appears to be gathering intelligence on NGOs, nonprofits, religious organizations, and think tanks. It's likely to provide China with intel to get ahead of bad press or attempt to influence policy in other countries.
Mustang Panda is excellent at exploiting software vulnerabilities and using familiar tools, like Google Drive and link shorteners, so users are less likely to be suspicious.
The group often sends PDFs to its victims that require an "Adobe Flash Update." Clicking the UPDATE button drops Mustang Panda's malware and trojans, providing access to the victim's device and network.
More recently, Mustang Panda has exploited COVID-19 by creating a fully functioning infection-tracking app for Android devices. The app contains SpyNote Remote Access Trojan (RAT), allowing Mustang Panda to monitor a user's activity, control the camera and microphone, access and copy all the phone's data, intercept incoming calls and texts—essentially use the device as the user does!
In addition to apps, Mustang Panda also used a spear-phishing campaign to send a malicious PDF with "COVID-19 information."
Famous Mustang Panda Attacks
Mustang Panda is somewhat new compared to other Chinese advanced persistent threat groups like Goblin Panda, Emissary Panda, and Gothic Panda—to name a few!
The Vatican & Catholic Churches - 2020
With negotiations set to take place between The Vatican and the Chinese Communist Party (CCP) in September 2020, Mustang Panda (operating as RedDelta) successfully infiltrated several Catholic organizations in March 2020, including the Vatican.
The CCP was looking for more control and insight over the Catholic church in China. So hacking these institutions would provide them with intel and possibly leverage over the negotiations.
RedDelta gained access through a spear-phishing attack—an email from the Vatican to Msgr. Javier Corona Herrera, a chaplain at the Hong Kong Study Mission to China.
The attachment contained a message of sadness about the recent death of a bishop. Also included was malware giving RedDelta to the Hong Kong Study Mission to China's offices and the Vatican's mail servers.
From there, RedDelta moved laterally through the Vatican's systems using intelligence to send highly relevant spear-phishing campaigns.
LuminousMoth Campaign - 2020
In 2020, Mustang Panda (operating as LuminousMoth) successfully hacked around 1,500 victims in Myanmar and the Philippines.
First, LuminousMoth targeted victims through a spear-phishing campaign that downloaded malware and trojans to the victim's device—at the same time, copying these files to any removable USB drives.
LuminousMoth would have access to any other devices using the same USB drive.
Security analysts were a little confused by the LuminousMoth campaign as it didn't appear to have any real target or goal. Unusual for cyberespionage groups.
The LuminousMoth campaign was likely a way for Mustang Panda to test new tools and tactics.
Is Your Company Prepared for Cyber Attacks?
It feels like we hear about fresh cyberattacks and methods every day! Cyber attacks are no longer something large organizations and government institutions need to worry about.
Effective cybersecurity for small businesses is crucial to protect your company, clients, and team members from attacks.
These are our top 5 tips for increasing cybersecurity at your company.
1 - Use a Password Manager - TeamPassword
A password manager is an essential tool for companies to share passwords safely with team members, contractors, and freelancers.
We designed TeamPassword with small businesses and agencies in mind. With TeamPassword, you never expose raw login credentials—mitigating the risk of unauthorized sharing and access.
Create groups in TeamPassword for different teams, client accounts, or projects, so you only provide access to those who need it!
2 - Educate Employees
Educating your team is key to preventing cyber attacks. This education isn't a one-off event—security risks change and evolve all the time.
Creating a dedicated security Slack channel or company cybersecurity wiki is one way your team can stay on top of attack trends and vulnerabilities.
3 - Always Install Updates
Software and firmware updates fix bugs and other security vulnerabilities. These bugs provide attackers with creative methods to breach apps and systems—so updating is crucial.
Make sure you and your team always install updates as soon as they're available.
4 - Keep Personal & Work Devices Separate
Always mandate that employees use a separate device for work—preferably a company-issued computer or laptop set up by your company's IT team.
Employees must not use these devices for personal email or surf the web. By separating work and personal devices, you eliminate the risk of being a casualty if your employee falls victim to a personal cyber attack.
5 - Implement Two-Factor Authentication (2FA)
2FA is an affordable and highly effective way to prevent attackers from breaching your accounts, even if they steal a team member's password.
For example, TeamPassword uses 2FA for logging in. Employees have to enter their password, plus a random six-digit code from Google Authenticator to access their account.
Without the employee's device (iOS or Android), attackers can't log into TeamPassword, even if they've stolen their password.