China (APT-27/Emissary Panda): New details have emerged in an attack on the Montreal-based International Civil Aviation Organization (ICAO) which took place in 2016. At the time, officials from the ICAO attempted to cover up how badly the attack, which now appears to have been the worst cyber-attack in its history, was mishandled. It now appears that the ICAO was breached by the Chinese cyber-espionage group Emissary Panda. Emissary Panda is known for carrying out long term cyber-espionage campaigns. At this time, it is unknown how they initially compromised ICAO, but it is believed that they gained access after compromising the organization’s webmail server. Emissary Panda appears to have been utilizing ICAO for watering hole attacks after compromising a number of the commonly-used aviation documents which a number of organizations will routinely consult on ICAO’s website. From there, Emissary Panda would be able to spread their access to a large number of aviation and government organizations, as well as corporations who utilize their own corporate transportation for air travel.
Emissary Panda, and the Chinese government, likely used this network of access to gather information on government officials and corporations for later targeting and espionage operations.