May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 01, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Advanced persistent threat (APT) groups are often tricky to wrap your head around. By their nature, state-associated groups are well-resourced and as their terminology suggests, APT groups are persistent. They prioritize stealth and staying undetected for as long as possible. That means it is often difficult to catch them red-handed in the act of stealing secrets, and when you do, these groups are likely to have achieved what they set out to achieve anyway. That, of course, typically involves the theft of your intellectual property, information, state secrets, etc.
When it comes to APT groups, we tend to think of the Big Four countries, namely Russia, the People’s Republic of China (PRC), Iran, and North Korea. It’s impossible to go into the various APT groups associated with these countries individually without this blog post turning into a day-long seminar. So, today we focus on the PRC-linked Mustang Panda, a group that has caught our eye recently.
Before delving into what Mustang Panda is and what the group has been up to, it’s imperative to understand its underlying motivation. The PRC’s cyber strategy indicates a confrontation-aversion mentality, making cyber espionage a central part of its intelligence policy. Where cyber espionage operations are concerned, the government in the PRC has several APT groups at its disposal to conduct such campaigns and put us through complete panda-monium. These groups seek information that can put the Chinese state at a strategic advantage, mainly for data related to two main state-led objectives: 1) the Belt and Road Initiative (BRI), and 2) Made In China 2025 (MIC2025). The two programs determine the areas that the PRC strives to be a leader in.
Naturally, big goals are made easier when broken down into smaller milestones.“千里之行,始於足下”, or translated into English: after all a journey of a thousand miles begins with a single step (thank you Lao Tzu). With these two state-led programs, the PRC has put in place smaller five-year economic plans (FYPs), with the intention of eventually meeting the end goals of BRI and MIC2025.
And that’s where Mustang Panda (and the PRC’s squad of other Pandas [熊猫]) comes in. First discovered around 2017, Mustang Panda has come a long way since its initial operations. It does one thing (information theft) and then some (as evident in its expansion in targeting scope and interest).
It is often challenging to put a label on APT groups, as labels are for soup cans. But, anyone who has used a Thermomix before would immediately be blown away by how the appliance doesn’t just cook but also whips, shapes, peels, kneads, minces, weights, beats, and cleans itself! *mindblown* And this is exactly what Mustang Panda is – a Thermomix-level cyber espionage operator.
Like many many other APT groups, Mustang Panda doesn’t just go by one name. It is also tracked using other aliases, like TA416, Bronze President, TEMP.Hex.
We’ve earlier established that Information related to the BRI and specific goals laid out in the PRC’s FYPs constitute key targets among PRC-linked APT groups. But Mustang Panda does so much more. Based on previous attacks, non-governmental organizations (NGOs) in South-East Asia, Europe, and the US have been frequent targets, likely for information on politically sensitive issues such as human rights (which the PRC generally does not do well in).
It has also turned inwards, looking at entities operating within the territories of the PRC. In particular, areas which the PRC has a contentious relationship with, such as Tibet, Hong Kong, and Taiwan, have all been named as victims in Mustang Panda operations. This alludes to a surveillance-type function that the group has. It also hints at the group’s support to the various different political interests of the Chinese government; besides supporting information gathering requirements related to the BRI and MIC2025, Mustang Panda likely helps keep a close watch on contentious areas at the direction of the Chinese government.
More recently, the group was attributed to a campaign that targeted Russian officials in April 2022. In that operation, Mustang Panda sent phishing emails to Russian military and government officials, in hope of deploying the “PlugX” malware. PRC-linked APT groups seldom target Russian entities, and it might not be that hard to see why.. The PRC and Russia have hitherto enjoyed lukewarm relations (although Russia’s actions against Ukraine amid the Russia-Ukraine war are likely to have thrown a wrench into Sino-Russian dynamics slightly.) This Mustang Panda campaign hints at two things: 1) The group is nimble and likely modifies its targeting scope to quickly adapt to the evolving and changing interest of the Chinese government, and 2) no target is too elusive.
The group also understands when to strike. Amid the flurry of information covering the developments surrounding the Russia-Ukraine war, Mustang Panda was reported to have been targeting organizations in Europe using lures bearing topics pertaining to Russia’s incursion into Ukraine. The group likely capitalized on the “noise” during this period, betting on the developments of the armed conflict to serve as a distraction for its activity.
In more sporadic instances, telecommunications providers in Asia, Europe, and the US have been targeted. Other times, Mustang Panda also went after research entities, Internet service providers, and diplomatic missions.
Given that its victims span a wide range of geographies and diverse range of sectors, perhaps Mr Worldwide would be a more appropriate moniker for the group.
Mustang Panda’s Thermomix jack-of-all-trades swiss-army-knife nature is perhaps best summed up in its techniques. Social engineering techniques to trick users into interacting with malware has been a tried-and-tested approach among APT groups, but Mustang Panda takes it further by using very tailored lures. In some instances, it even used publicly-downloadable legitimate documents. After all, why bother crafting your own when you can directly access the source material?
That’s not all. It can exploit software vulnerabilities and have done so faster than you can patch your systems. Previously, it exploited CVE-2017-0199 just days after the flaw was disclosed. Talk about striking when the iron is hot.
Needless to say, Mustang Panda is technically competent. Its malware collection is probably better stocked than a doomsdayer’s ration cabinet, and sure, it has both publicly available and customized malware. “PlugX” and “Poison Ivy” would be the more frequently used malware variants in Mustang Panda’s attacks. Improvements are a must – “Hodor” is the updated version of PlugX. Apart from malware, the group relies on tools like reverse shells, Cobalt Strike, and meterpreter, all for maintaining persistence on a victim network.
(Disclaimer: PlugX is also used by many other PRC-linked APT groups. So, attributing a campaign to a specific threat group based solely on the detection of PlugX would be problematic)
The way we see it, Mustang Panda is very much like that overachieving friend we have in high school, who is good at everything, studies, extra-curricular activities and all.
Somewhere in the future, we can expect to see the group’s activities again. It would not even be surprising if it used some never-before-seen or groundbreaking techniques then. The Photon Research Team keeps itself abreast and updated of developments like this, and maintains profiles of the different threat actors and groups (beyond those associated with the PRC). Take a test drive for seven days, where you can access our library of more than 500 threat actor profiles, or let us show you how you can keep yourself ahead of cyber threats.