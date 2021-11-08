Security breaches in the United States have been linked to a Chinese cyber-espionage group.

According to a US cybersecurity firm, a hacking group has penetrated at least nine worldwide businesses in the domains of technology, defense, energy, and other vital industries as part of an apparent espionage campaign.

In a report released on Sunday, cybersecurity firm Palo Alto Networks said that hundreds of firms in the United States were targeted by hackers as part of an espionage operation that took place between late September and early October.

“At least nine multinational companies across the technology, defense, healthcare, energy, and education industries” were hacked, according to the hacker gang.

Palo Alto Networks noted in its research that “we believe the adversary targeted at least 370 Zoho [software]… in the United States alone” based on global telemetry. “Given the scope, we believe these scans were essentially indiscriminate in nature, with targets ranging from education to DOD entities.” According to the post, the hacker gang was able to breach the entities by exploiting vulnerabilities in ManageEngine ADSelfService Plus software, which is used to manage network passwords.

Palo Alto Networks stated, “Ultimately, the actor was engaged in acquiring credentials, keeping access, and gathering sensitive material from victim networks for exfiltration.”

While attribution is still being worked out, the cybersecurity firm stated that the tools and methods used in the alleged hacking activities are similar to those employed by Chinese cyber-espionage outfit Emissary Panda, also known as TG-3390, APT 27, and Bronze Union.

“Specifically, we can see that TG-3390 used web exploitation and another popular Chinese webshell called ChinaChopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,” Palo Alto Networks explained in its report, citing SecureWorks’ article on a previous TG-3390 operation.

“While the webshells and exploits differ, we noticed some resemblance in some of the actors’ exfiltration tooling once they gained access to the environment.”

Since at least 2010, Emissary Panda, which has ties to the Chinese government, has been operating. It has previously targeted companies all across the world, including American defense contractors and a European drone producer. Attacks have also been staged in Asia and the Middle East.

Palo Alto Networks has been contacted by Washington Newsday for additional comment.

Crowdstrike, a cybersecurity firm based in the United States, reported a hacking last month. This is a condensed version of the information.