ETDA ThaiCERT
Report
Search
Home > List all groups > Emissary Panda, APT 27, LuckyMouse, Bronze Union

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Emissary Panda, APT 27, LuckyMouse, Bronze Union

NamesEmissary Panda (CrowdStrike)
APT 27 (Mandiant)
LuckyMouse (Kaspersky)
Bronze Union (Secureworks)
TG-3390 (SecureWorks)
TEMP.Hippo (Symantec)
Group 35 (Talos)
ATK 15 (Thales)
ZipToken (?)
CountryChina China
MotivationInformation theft and espionage
First seen2010
DescriptionThreat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors.

Emissary Panda has some overlap with Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu Kittens.
ObservedSectors: Aerospace, Aviation, Defense, Education, Embassies, Government, Manufacturing, Technology, Telecommunications, Think Tanks.
Countries: Australia, Canada, China, Hong Kong, India, Iran, Israel, Japan, Philippines, Russia, Spain, South Korea, Taiwan, Thailand, Tibet, Turkey, UK, USA and Middle East.
Tools usedAntak, ASPXSpy, China Chopper, Gh0st RAT, gsecdump, HTTPBrowser, HTran, Hunter, HyperBro, Mimikatz, Nishang, OwaAuth, PlugX, ProcDump, PsExec, SysUpdate, TwoFace, Windows Credentials Editor, ZXShell, Living off the Land.
Operations performed2010Operation “Iron Tiger”
Operation Iron Tiger is a targeted attack campaign discovered to have stolen trillions of data from defense contractors in the US, including stolen emails, intellectual property, strategic planning documents – data and records that could be used to destabilize an organization.
<https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2015/2015.09.17.Operation_Iron_Tiger/wp-operation-iron-tiger.pdf>
2015Penetration of networks for industrial espionage
Designated as Threat Group 3390 and nicknamed “Emissary Panda” by researchers, the hacking group has compromised victims’ networks largely through “watering hole” attacks launched from over 100 compromised legitimate websites, sites picked because they were known to be frequented by those targeted in the attack.
<https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/>
Jul 2017Operation “PZChao”
The past few years have seen high-profile cyber-attacks shift to damaging the targets’ digital infrastructures to stealing highly sensitive data, silently monitoring the victim and constantly laying the ground for a new wave of attacks.
This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia. Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.
<https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/>
Mar 2018Campaign targeting a national data center in the Central Asia
The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.
<https://securelist.com/luckymouse-hits-national-data-center/86083/>
Apr 2018Operation “SpoiledLegacy”
We have been monitoring a campaign targeting Vietnamese government and diplomatic entities abroad since at least April 2018.
<https://securelist.com/apt-trends-report-q1-2019/90643/>
Apr 2019In April 2019, Unit 42 observed the Emissary Panda (AKA APT27, TG-3390, Bronze Union, Lucky Mouse) threat group installing webshells on Sharepoint servers to compromise Government Organizations of two different countries in the Middle East.
<https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/>
Mar 2020Is APT27 Abusing COVID-19 To Attack People ?!
<https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/>
Information<https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage>
<https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox>
<https://www.secureworks.com/research/bronze-union>
MITRE ATT&CK<https://attack.mitre.org/groups/G0027/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=emissary_panda>

Last change to this card: 01 May 2020

Download this actor card in PDF or JSON format

Previous: El Machete
Next: EmpireMonkey, CobaltGoblin

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key