According to the Council on Foreign Relations, “This threat actor targets government agencies and entities in the defense and energy sectors in Southeast Asia with an interest in issues related to tensions in the South China Sea.”
According to Prevailian’s threat intelligence platform, this APT has been active in countries from the US to Asia, including India, Japan, South Korea, Vietnam and Australia as well as throughout Europe, the Middle East and Africa (EMEA).
Prevailion has also observed that Goblin Panda is three times more active than another major Chinese group, Mustang Panda. While it has been widely reported that the APT targets governments, it also targets many different industries and seemingly goes after well known names within those industries. Prevailion has detected that these industries include well known US tech companies, prominent cybersecurity companies, large telecoms and financial institutions as well as one of the world’s largest oil companies. It has also targeted privacy groups and four large universities in the US.
Believed to be backed by the Chinese government, Goblin Panda has grown increasingly infamous since it was first identified in 2013. In 2018, multiple reports attributed attacks on Vietnam to the APT. Kaspersky’s 2019 APT Report noted that Cycldek, (also known as Goblin Panda and Conimes) had become notorious for its information stealing and espionage campaigns that target both government entities–such as defense and energy–and the private sector using PlugX and HttpTunnel malware variants, Digital News Asia reported.
Goblin Panda has also been reported to leverage “a custom-designed stealthy tool called ‘USBCulprit’, which has sophisticated information-leeching capabilities, especially when used on an air-gapped system.”
Security researchers have warned about the APT’s use of this fairly new espionage tool to target air gapped systems, which reportedly uses rich-text format (RTF) documents to deliver Remote Access Trojans.
“We believe Goblin Panda to be a sophisticated threat actor with a broader target list than what has been previously revealed,” said Prevailion CEO and Founder Karim Hijazi. “In our own intelligence gathering activities, we have found their activities to be extensive, and not at all limited to Southeast Asia. Private sector CISOs should carefully evaluate their partners and supply chains, not only in Southeast Asia, but also in India, the Middle East and Africa.”
Hijazi discusses Microsoft hack parallels with SolarWinds and how China and Russia likely execute their cyber campaigns.
See Prevailion CEO, Karim Hijazi, comment on how nation states use proxy groups to compromise organizations through weaker supply chain points.
See Prevailion CEO, Karim Hijazi, weigh in on a second solar winds hack and how elite hacker groups have likely already compromised many top companies around