Report: Hackers With China Ties Linked to Global Password Thefts

A U.S. cybersecurity firm says a hacking group possibly linked to China has breached nine global organizations including at least one in the United States.  

The report by Palo Alto Networks of Santa Clara, California, said it found malicious actors were actively stealing passwords from target organizations with the goal of maintaining long-term access.  

The report said from September 22 into early October, the hackers compromised at least nine entities in sectors such as technology, defense, health care, energy and education. None is unidentified in the report. One organization is in the United States. 

Ryan Olson, vice president of threat intelligence at Palo Alto Networks, said that “any company doing business with the Pentagon could have a range of data in their emails about defense contracts that could be of interest to foreign spies.” 

Nicholas Eftimiades, an assistant teaching professor at Penn State University and a former CIA intelligence officer, told VOA Mandarin the tactics used in these attacks are usually employed against foreign governments. In this case, the hacking group used the tactics against commercial interests on a global scale.  

Eftimiades added that if these attacks had not been detected, the threat group would have gained access to thousands of companies and been able to conduct espionage from those companies.  

The report was released on the Palo Alto Networks website on November 7. The Chinese Ministry of State Security did not respond to VOA’s request for comment. 

Olson told CNN, which first reported the breach, that “in aggregate, access to that information can be really valuable,” adding, “even if it’s not classified information, even if it’s just information about how the business is doing.”

Palo Alto Networks said it detected two programs that were used, Godzilla and NGLite.  

Both included instructions in Chinese “and are publicly available for download on GitHub,” said the firm’s report. GitHub is used by millions of developers and companies worldwide for many things including sharing computer code. 

The cybersecurity firm added that the tactics used in the attacks appear similar to those used by Emissary Panda, a Chinese threat group that has been active since 2010.

The group has been active in the Middle East and has attacked U.S. defense contractors in the past, according to teampassword.com, a cyber-security firm. 

Olson told Newsweek that ”based on the tools and techniques used in this campaign we see an overlap with Emissary Panda/APT27.” But he also stressed that the firm has yet to conclusively attribute the attacks to a threat group.

Palo Alto Networks did not disclose the names of any of the organizations that were attacked, but said the company is sharing information to raise awareness of threats and to fix the vulnerabilities exploited by hackers. 

The firm has been working with the Cybersecurity and Infrastructure Security Agency (CISA), a U.S. federal agency responsible for strengthening cybersecurity and communications infrastructure.  

Eric Goldstein, executive assistant director for cybersecurity at CISA, told VOA Mandarin via email that CISA was working with Palo Alto Network to “understand, amplify and drive action in response to the activity identified in this report.” The agency has been working with the private sector through a Joint Cyber Defense Collaborative program. 

Eftimiades, the retired intelligence officer, said private companies usually are not equipped to deal with this type of threat.  

He said that governments around the world, especially the U.S. government, should develop a deterrence policy to reduce or stop these types of attacks and develop a global alliance to respond to such attacks.  

The Wall Street Journal reported last month that the U.S. State Department is prepared to create a new bureau of cyberspace and digital policy and a special envoy responsible for critical and emergency technology, in order to better confront cybersecurity challenges. 

leave a reply: