Reporting Date: Updated 23 June 2020
Assessment Period: 8 – 23 June 2020
CYFIRMA Research issued the first report on 18 Jun containing analysis and observations regarding the ongoing conflict as it unfolds in the dark web and hackers’ communities.
We continue to monitor the situation and the telemetry shows more targets have been identified, the scale has expanded, and more compromised IP addresses have been discussed as vulnerabilities for technical exploits.
A third target dump was listed by hackers on dark web forums with new IOCs which they would potentially use for data reconnaissance, and to launch the attack.
Our research points to hackers discussing the extensive target lists which include government agencies and private companies. The targets may not be limited to the lists published as the threat has increased. Hackers could be planning a nationwide cyberattack.
We strongly recommend CERT IN to send out a public advisory (to all, not just the organizations listed here) given the scale of the potential cyberattack.
The impacted organizations should monitor and block these IP addresses and hashes immediately.
Our research has uncovered a clear set of IOCs which are predominately used for hosting Command and Control (C&C) centre, malware, and malware hashes. These IOCs attribute back to Chinese hacking groups ‘Gothic Panda’ and ‘Stone Panda’.
In the hackers’ conversations, IP addresses were shared and discussed. Our analysis of these IP addresses attributed Gothic Panda and Stone Panda to be behind these potential hacking campaigns. These are two prolific hacking groups with close association with the Chinese Government.
Gothic Panda: Gothic Panda is a long-standing Chinese threat actor group which has targeted Aerospace, Defence, Construction and Engineering, High Tech, Telecommunications, Transportation and Manufacturing sectors in the past. The group has been responsible for multiple campaigns including Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.
Stone Panda: A Chinese threat actor group which has traditionally shown interest in stealing international trade secret and supply chain information from various enterprises across many countries such as India, Japan, USA, Canada, Brazil.
Motivation: Sensitive data exfiltration to create brand and reputation damage.
Target List: (Full List is Masked)