Emissary (Pandas) in the Middle East

James Shank (Team Cymru) & Jacomo Piccolini (Team Cymru)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

In December, the Iranian government issued a public statement claiming they had 'foiled' an attack by 'the well-known APT27' – but was this really the case?

For several months, we tracked China’s Emissary Panda (a.k.a. APT27, TG-3390, BRONZE UNION, Iron Tiger, LuckyMouse). While our knowledge of tracking real pandas is limited, these cyber-Pandas left behind trails for Team Cymru analysts and partners to trace their activities.

Mapping out these digital paw prints enabled us to identify a significant operation targeting organizations in the Middle East. The threat actors left network fingerprints that we uncovered through NetFlow analysis and other network metadata.

The tradecraft of network forensics is a well-developed discipline within the information security industry. But what happens when we apply that tradecraft to global network visibility?

We reveal Emissary Panda’s tactics, techniques and procedures, and highlight an extensive infrastructure that evolved over time. We show exfiltration paths, command-and-control servers, and what appeared to be a migration from one hosting provider to another. We present network maps that may rival Emissary Panda’s internal documentation.

We share detection methods network defenders can use today to check for Emissary cyber-Pandas in their networks. We identify a significant number of victims across a variety of industries, including the energy, health care, technology, education, travel and government sectors.

Did the Kittens beat back the Pandas?

Our unique visibility shows us the truth behind Iran’s claims, as well as the before, during and after impacts Iran’s actions had on the Emissary Panda campaign and infrastructure.

While real pandas in the wild are sparse, the Emissary cyber-Pandas are still very much prevalent. Their survival outside of their own territory requires stealth, but few can hide when the Team Cymru dragon begins the hunt.
James Shank
Team Cymru Joining Team Cymru ten years ago, James Shank has contributed to several efforts within Team Cymru and within the broader information security community. From the start of his tenure, James served as SME and lead engineer over Team Cymru's highest volume and highest velocity data processing services. He quickly rose through the leadership ranks to become Engineering Team Lead then Manager of Engineering, before joining a team focused on rapid proof-of-concept research and development. With an interest and passion for people over technology, James gravitated towards community-focused efforts and now serves as Chief Architect of Community Services and Senior Security Evangelist. Throughout his career at Team Cymru, James has contributed to community efforts to fight malicious activity online. Serving on the DNS Changer Working Group, contributing to Mirai research efforts, and helping to analyse WireX are a few examples of James' community contributions. Today James focuses on bringing about lasting and substantive changes to information security on a global scale. Recently, James played a part in tracking and analysing the actors and campaign that later became known as Sea Turtle. James participates in many trust-based groups and adhoc task force efforts. Bringing people together to combat international cyber threats is James' main passion. James is always interested in hearing new ideas and thoughts on meaningful ways to impact the state of global security.
Jacomo Piccolini
Team Cymru From 2009 to 2012 Jacomo was one of the mentors behind the Dragon Research Group DRG, a Team Cymru community initiative. He joined the company in 2012 as part of the outreach team and is based in Brazil. Before Team Cymru, he worked at the Brazilian Research and Academic Network, at their Academic CSIRT, and acted as Academic Coordinator for the Educational School’s security and IT governance curriculum. With 21 years of field experience, Jacomo holds a degree in engineering and a post-graduate degree in computer science and business administration. He is a Liaison Member of FIRST and the representative for Team Cymru. Previously Jacomo coordinated hands-on activities for FIRST and is now on the membership committee. Jacomo is also known for his work with several other security communities and trust-based groups. He has been invited to speak around the globe and has hundreds of appearances and keynote talks under his belt. In addition, he has authored several security training courses, and served several years as an instructor at INTERPOL Summer School. At Team Cymru he is responsible for the company’s community services, including the CSIRT Assistance Program (CAP) and the Data Sharing Partnerships. When not working to make our networks safer places, Jacomo spends time on his other great passion, photography. His photography has won national awards, has been featured in publications, and appears in museums.
arrow left Back

Emissary (Pandas) in the Middle East

James Shank (Team Cymru) & Jacomo Piccolini (Team Cymru)
In December, the Iranian government issued a public statement claiming they had 'foiled' an attack by 'the well-known APT27' – but was this really the case?

For several months, we tracked China’s Emissary Panda (a.k.a. APT27, TG-3390, BRONZE UNION, Iron Tiger, LuckyMouse). While our knowledge of tracking real pandas is limited, these cyber-Pandas left behind trails for Team Cymru analysts and partners to trace their activities.

Mapping out these digital paw prints enabled us to identify a significant operation targeting organizations in the Middle East. The threat actors left network fingerprints that we uncovered through NetFlow analysis and other network metadata.

The tradecraft of network forensics is a well-developed discipline within the information security industry. But what happens when we apply that tradecraft to global network visibility?

We reveal Emissary Panda’s tactics, techniques and procedures, and highlight an extensive infrastructure that evolved over time. We show exfiltration paths, command-and-control servers, and what appeared to be a migration from one hosting provider to another. We present network maps that may rival Emissary Panda’s internal documentation.

We share detection methods network defenders can use today to check for Emissary cyber-Pandas in their networks. We identify a significant number of victims across a variety of industries, including the energy, health care, technology, education, travel and government sectors.

Did the Kittens beat back the Pandas?

Our unique visibility shows us the truth behind Iran’s claims, as well as the before, during and after impacts Iran’s actions had on the Emissary Panda campaign and infrastructure.

While real pandas in the wild are sparse, the Emissary cyber-Pandas are still very much prevalent. Their survival outside of their own territory requires stealth, but few can hide when the Team Cymru dragon begins the hunt.
James Shank
Team Cymru Joining Team Cymru ten years ago, James Shank has contributed to several efforts within Team Cymru and within the broader information security community. From the start of his tenure, James served as SME and lead engineer over Team Cymru's highest volume and highest velocity data processing services. He quickly rose through the leadership ranks to become Engineering Team Lead then Manager of Engineering, before joining a team focused on rapid proof-of-concept research and development. With an interest and passion for people over technology, James gravitated towards community-focused efforts and now serves as Chief Architect of Community Services and Senior Security Evangelist. Throughout his career at Team Cymru, James has contributed to community efforts to fight malicious activity online. Serving on the DNS Changer Working Group, contributing to Mirai research efforts, and helping to analyse WireX are a few examples of James' community contributions. Today James focuses on bringing about lasting and substantive changes to information security on a global scale. Recently, James played a part in tracking and analysing the actors and campaign that later became known as Sea Turtle. James participates in many trust-based groups and adhoc task force efforts. Bringing people together to combat international cyber threats is James' main passion. James is always interested in hearing new ideas and thoughts on meaningful ways to impact the state of global security.
Jacomo Piccolini
Team Cymru From 2009 to 2012 Jacomo was one of the mentors behind the Dragon Research Group DRG, a Team Cymru community initiative. He joined the company in 2012 as part of the outreach team and is based in Brazil. Before Team Cymru, he worked at the Brazilian Research and Academic Network, at their Academic CSIRT, and acted as Academic Coordinator for the Educational School’s security and IT governance curriculum. With 21 years of field experience, Jacomo holds a degree in engineering and a post-graduate degree in computer science and business administration. He is a Liaison Member of FIRST and the representative for Team Cymru. Previously Jacomo coordinated hands-on activities for FIRST and is now on the membership committee. Jacomo is also known for his work with several other security communities and trust-based groups. He has been invited to speak around the globe and has hundreds of appearances and keynote talks under his belt. In addition, he has authored several security training courses, and served several years as an instructor at INTERPOL Summer School. At Team Cymru he is responsible for the company’s community services, including the CSIRT Assistance Program (CAP) and the Data Sharing Partnerships. When not working to make our networks safer places, Jacomo spends time on his other great passion, photography. His photography has won national awards, has been featured in publications, and appears in museums.