A hacking group has compromised at least nine global organizations in the fields of technology, defense, energy, and other key sectors as part of an apparent espionage campaign, a U.S. cybersecurity group has claimed.

Cybersecurity firm Palo Alto Networks said in a report published Sunday that in the U.S. alone, hundreds of organizations were targeted by hackers as part of an espionage effort that took place between late September and early October.

The hacking group compromised “at least nine global entities across the technology, defense, healthcare, energy, and education industries,” it said.

“Through global telemetry, we believe that the actor targeted at least 370 Zoho [software] … in the United States alone,” Palo Alto Networks said in its report. “Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defense entities.”

The hacking group was able to compromise the entities by exploiting vulnerabilities in software used to manage network passwords, known as ManageEngine ADSelfService Plus, the post said.

“Ultimately, the actor was interested in stealing credentials, maintaining access, and gathering sensitive files from victim networks for exfiltration,” Palo Alto Networks noted.

The cybersecurity firm noted that while attribution is still ongoing, specific tools and methods used in the apparent hacking efforts are in line with those used by the Chinese cyber-espionage group Emissary Panda, also known as TG-3390, APT 27, and Bronze Union.

“Specifically, as documented by SecureWorks in an article on a previous TG-3390 operation, we can see that TG-3390 similarly used web exploitation and another popular Chinese webshell called ChinaChopper for their initial footholds before leveraging legitimate stolen credentials for lateral movement and attacks on a domain controller,” Palo Alto Networks explained in its report.

“While the webshells and exploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration tooling.”

Emissary Panda, which has links to the Chinese government, has been active since at least 2010. It has previously targeted entities worldwide, including defense contractors in the U.S. and a European drone manufacturer. It has also staged attacks in Asia and the Middle East.

Newsweek has reached out to Palo Alto Networks for additional comment.

Last month, U.S. cybersecurity firm Crowdstrike said a hacking group with suspected ties to China compromised calling records and text messages across the globe. The company said the group, known as UNC1945 or LightBasin, has been active since at least 2016.


This article was written by Isabel van Brugen, and was originally published on Newsweek.