Advanced persistent threat (APT) groups are often tricky to wrap your head around. By their nature, state-associated groups are well-resourced and as their terminology suggests, APT groups are persistent. They prioritize stealth and staying undetected for as long as possible. That means it is often difficult to catch them red-handed in the act of stealing secrets, and when you do, these groups are likely to have achieved what they set out to achieve anyway. That, of course, typically involves the theft of your intellectual property, information, state secrets, etc. 

When it comes to APT groups, we tend to think of the Big Four countries, namely Russia, the People’s Republic of China (PRC), Iran, and North Korea. It’s impossible to go into the various APT groups associated with these countries individually without this blog post turning into a day-long seminar. So, today we focus on the PRC-linked Mustang Panda, a group that has caught our eye recently. 

The one 熊猫 to do it all:

Before delving into what Mustang Panda is and what the group has been up to, it’s imperative to understand its underlying motivation. The PRC’s cyber strategy indicates a confrontation-aversion mentality, making cyber espionage a central part of its intelligence policy. Where cyber espionage operations are concerned, the government in the PRC has several APT groups at its disposal to conduct such campaigns and put us through complete panda-monium. These groups seek information that can put the Chinese state at a strategic advantage, mainly for data related to two main state-led objectives: 1) the Belt and Road Initiative (BRI), and 2) Made In China 2025 (MIC2025). The two programs determine the areas that the PRC strives to be a leader in. 

Naturally, big goals are made easier when broken down into smaller milestones.“千里之行,始於足下”, or translated into English: after all a journey of a thousand miles begins with a single step (thank you Lao Tzu). With these two state-led programs, the PRC has put in place smaller five-year economic plans (FYPs), with the intention of eventually meeting the end goals of BRI and MIC2025. 

And that’s where Mustang Panda (and the PRC’s squad of other Pandas [熊猫]) comes in. First discovered around 2017, Mustang Panda has come a long way since its initial operations. It does one thing (information theft) and then some (as evident in its expansion in targeting scope and interest). 

Mustang Panda: probably cute and cuddly, but definitely deadly

It is often challenging to put a label on APT groups, as labels are for soup cans. But, anyone who has used a Thermomix before would immediately be blown away by how the appliance doesn’t just cook but also whips, shapes, peels, kneads, minces, weights, beats, and cleans itself! *mindblown* And this is exactly what Mustang Panda is – a Thermomix-level cyber espionage operator.

The name is Worldwide, Mr Worldwide:

Like many many other APT groups, Mustang Panda doesn’t just go by one name. It is also tracked using other aliases, like TA416, Bronze President, TEMP.Hex. 

We’ve earlier established that Information related to the BRI and specific goals laid out in the PRC’s FYPs constitute key targets among PRC-linked APT groups. But Mustang Panda does so much more. Based on previous attacks, non-governmental organizations (NGOs) in South-East Asia, Europe, and the US have been frequent targets, likely for information on politically sensitive issues such as human rights (which the PRC generally does not do well in). 

It has also turned inwards, looking at entities operating within the territories of the PRC. In particular, areas which the PRC has a contentious relationship with, such as Tibet, Hong Kong, and Taiwan, have all been named as victims in Mustang Panda operations. This alludes to a surveillance-type function that the group has. It also hints at the group’s support to the various different political interests of the Chinese government; besides supporting information gathering requirements related to the BRI and MIC2025, Mustang Panda likely helps keep a close watch on contentious areas at the direction of the Chinese government.

More recently, the group was attributed to a campaign that targeted Russian officials in April 2022. In that operation, Mustang Panda sent phishing emails to Russian military and government officials, in hope of deploying the “PlugX” malware. PRC-linked APT groups seldom target Russian entities, and it might not be that hard to see why.. The PRC and Russia have hitherto enjoyed lukewarm relations (although Russia’s actions against Ukraine amid the Russia-Ukraine war are likely to have thrown a wrench into Sino-Russian dynamics slightly.) This Mustang Panda campaign hints at two things: 1) The group is nimble and likely modifies its targeting scope to quickly adapt to the evolving and changing interest of the Chinese government, and 2) no target is too elusive. 

The group also understands when to strike. Amid the flurry of information covering the developments surrounding the Russia-Ukraine war, Mustang Panda was reported to have been targeting organizations in Europe using lures bearing topics pertaining to Russia’s incursion into Ukraine. The group likely capitalized on the “noise” during this period, betting on the developments of the armed conflict to serve as a distraction for its activity.

In more sporadic instances, telecommunications providers in Asia, Europe, and the US have been targeted. Other times, Mustang Panda also went after research entities, Internet service providers, and diplomatic missions

Given that its victims span a wide range of geographies and diverse range of sectors, perhaps Mr Worldwide would be a more appropriate moniker for the group. 

Going more places than Pitbull

Built for the (Belt and) Road ahead:

Mustang Panda’s Thermomix jack-of-all-trades swiss-army-knife nature is perhaps best summed up in its techniques. Social engineering techniques to trick users into interacting with malware has been a tried-and-tested approach among APT groups, but Mustang Panda takes it further by using very tailored lures. In some instances, it even used publicly-downloadable legitimate documents. After all, why bother crafting your own when you can directly access the source material? 

That’s not all. It can exploit software vulnerabilities and have done so faster than you can patch your systems. Previously, it exploited CVE-2017-0199 just days after the flaw was disclosed. Talk about striking when the iron is hot. 

Needless to say, Mustang Panda is technically competent. Its malware collection is probably better stocked than a doomsdayer’s ration cabinet, and sure, it has both publicly available and customized malware. “PlugX” and “Poison Ivy” would be the more frequently used malware variants in Mustang Panda’s attacks. Improvements are a must – “Hodor” is the updated version of PlugX. Apart from malware, the group relies on tools like reverse shells, Cobalt Strike, and meterpreter, all for maintaining persistence on a victim network.

(Disclaimer: PlugX is also used by many other PRC-linked APT groups. So, attributing a campaign to a specific threat group based solely on the detection of PlugX would be problematic)

A full list of Mustang Panda’s techniques in Digital Shadows SearchLight (now ReliaQuest GreyMatter DRP)

The way we see it, Mustang Panda is very much like that overachieving friend we have in high school, who is good at everything, studies, extra-curricular activities and all. 

Somewhere in the future, we can expect to see the group’s activities again. It would not even be surprising if it used some never-before-seen or groundbreaking techniques then. The Photon Research Team keeps itself abreast and updated of developments like this, and maintains profiles of the different threat actors and groups (beyond those associated with the PRC). Take a test drive for seven days, where you can access our library of more than 500 threat actor profiles, or let us show you how you can keep yourself ahead of cyber threats.