In the realm of cyber warfare, few adversaries command as much attention and intrigue as advanced persistent threat (APT) groups. Among these, one group stands out for its advanced techniques, persistence, and suspected state-sponsored activities – the elusive APT Group Numbered Panda, also known by various aliases like IXESHE, DynCalc, DNSCALC, and APT12 or APT-12. In this in-depth exploration, we delve into the operations, tactics, and impact of Numbered Panda, shedding light on its origins, campaigns, and notable attacks.
The enigma of Numbered Panda
Numbered Panda has earned a reputation as a formidable cyber espionage group believed to be affiliated with the Chinese military. Its primary targets lie in East Asia, with a focus on infiltrating high-value organizations such as media outlets, high-tech firms, and government entities. While the full extent of the group’s activities remains shrouded in mystery, it’s believed that Numbered Panda has been operational since 2009, amassing a significant list of victims along the way.
Evolution of techniques and targets
One of Numbered Panda’s distinctive features is its penchant for using spear-phishing campaigns to initiate attacks. These campaigns often involve the distribution of malicious PDF files via email, exploiting vulnerabilities like CVE-2009-4324, CVE-2009-09274, CVE-2011-06095, and more in Adobe software and Microsoft Excel. Notably, the group’s decoy documents are commonly written in traditional Chinese, catering to targets associated with Taiwanese interests.
The group’s interest in cyber research surrounding their malware tools is also evident. After Arbor Networks released a report on Numbered Panda, FireEye observed a shift in the group’s tactics, showcasing a proactive approach to avoid detection and maintain operational secrecy.
Trail of discovery: Unveiling Numbered Panda
Numbered Panda first came to public attention through a 2012 report by Trend Micro. This report detailed the group’s spear-phishing campaigns using the Ixeshe malware, which had been targeting East Asian nations since around 2009. Following the attack on The New York Times in 2012 and its subsequent reporting, CrowdStrike released a blog post titled “Whois Numbered Panda” in 2013, linking the group to these events.
In 2014, Arbor Networks published a comprehensive report detailing Numbered Panda’s use of Etumbot to target Taiwan and Japan. This report marked a turning point, prompting a change in the group’s tactics as identified by FireEye. These series of publications and reports played a crucial role in uncovering the group’s activities and shedding light on its evolution.
Assaults on East Asian nations
The modus operandi of Numbered Panda’s early campaigns included spear-phishing against East Asian governments, electronics manufacturers, and telecommunications companies. Their spear-phishing emails carried malicious attachments, often in the form of PDF files exploiting various software vulnerabilities. The Ixeshe malware, employed during these campaigns, enabled the group to carry out a range of actions within compromised systems, including information gathering, file manipulation, and establishing control over victim networks.
Targeting Japan and Taiwan
In subsequent campaigns, Numbered Panda shifted its focus to Japan and Taiwan, utilizing the Etumbot malware. The group’s strategies remained consistent, with decoy files in the form of PDFs, Excel spreadsheets, and Word documents used as email attachments to gain initial access. Etumbot leveraged tactics like the “right-to-left override exploit” to deceive victims into downloading malware installers. This period marked a significant evolution in the group’s tactics, further solidifying its reputation.
The New York Times and beyond
One of Numbered Panda’s most infamous attacks was the 2012 breach of The New York Times’ computer network. This attack followed the publication of an article highlighting the wealth amassed by the relatives of Wen Jiabao, a prominent Chinese politician. The attack underscored the group’s ability to target high-profile entities and capture international attention.
Strategies, techniques, and adaptation
Numbered Panda’s arsenal includes sophisticated tactics such as dynamically calculating Command and Control (C2) ports by resolving DNS, a technique that bypasses egress filtering designed to prevent unauthorized communications. The group often utilizes two DNS names for communication, with one used for command and control and the other involved in calculating the communication port through an algorithm.
The group’s targets, tactics, and adaptability indicate a high level of organization and resourcefulness. Its ability to change tactics in response to security reports further highlights its capacity to adapt and maintain operational effectiveness.
Conclusion: A persistent enigma
APT Group Numbered Panda continues to be a significant player in the cyber espionage landscape. With a history dating back to 2009 and a reputation for targeted attacks, the group’s activities underscore the need for continuous vigilance in the face of evolving cyber threats. As the group adapts its tactics, industries and governments must remain proactive, employing robust cybersecurity measures and collaborative efforts to thwart the impact of sophisticated adversaries like Numbered Panda.