Numbered Panda

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

Discovery and security reports

Trend Micro first reported on Numbered Panda in a 2012 white paper. Researchers discovered that the group launched spear phishing campaigns, using the Ixeshe malware, primarily against East Asian nations since approximately 2009. CrowdStrike further discussed the group in the 2013 blog post Whois Numbered Panda. This post followed the 2012 attack on the New York Times and its subsequent 2013 reporting on the attack. In June 2014, Arbor Networks released a report detailing Numbered Panda's use of Etumbot to target Taiwan and Japan. In September 2014, FireEye released a report highlighting the group's evolution. FireEye linked the release of Arbor Network's report to Numbered Panda's change in tactics. == Attacks ==

Attacks

East Asian Nations (2009-2011) Trend Micro reported on a campaign against East Asian governments, electronics manufacturers, and a telecommunications company. The attack occurred after the New York Times published a story about how the relatives of Wen Jiabao, the sixth Premier of the State Council of the People's Republic of China, "accumulated a fortune worth several billion dollars through business dealings." The computers used to launch the attack are believed to be the same university computers used by the Chinese military to attack United States military contractors. Numbered Panda used updated versions of the malware packages Aumlib and Ixeshe. The updated Aumlib allowed Numbered Panda to encode the body of a POST request to gather a victim's BIOS, external IP, and operating system. A new version of Ixeshe altered the previous version's network traffic pattern in an effort to evade existing network traffic signatures designed to detect Ixeshe related infections. == References ==

Source: Wikipedia ↗

tickerdossier.com tickerdossier.substack.com