Panda Emissary, supposed Chinese ATP group, is targeting high-profile governments and organisations that are looking for defence aerospace projects.
Researchers at Dell found that the group used watering hole attacks. The group likes to compromise websites that are popular with a target organisation's personnel—they've already compromised more than 100 sites.
The group exploits old vulnerabilities that are not yet patched by victims. Dell discovered that the APT group usually exploited Java flaws.
The watering holes used by these hackers include a whitelist to run surgical attacks by ensuring that only staff from a target organisation is infected and remains in their radar for a while. The group used custom tools OWaAuth web shell and ASPXTool along with popular criminal hacking tools PlugX RAT, HttpBrowser and China Chopper.
The Panda Emissary group targeted large manufacturing companies that supply defence organisations, energy firms, embassies in Washington DC, representing countries in the Middle East, Europe, and Asia, NGOs mainly focused on international relations and defence and government organisations.
Dell researchers wondered about the veracity of attributing the Chinese origin of the hacking team. They have observed local working hours and the use of native language tools, but they can't eliminate the possibility that this information can be the result of a false-flag operation.