Threat Intel Flash: Sisense Data Compromise: ARC Labs Intelligence Flash

Get the Latest


Long Quiet APT20 May Have Returned

China (APT20): It appears that a Chinese APT which has been quiet for years may have returned with an operation spanning multiple industries.  Little has been seen of APT20 since 2014, but new evidence suggests that Violin Panda has been active again with a campaign that appears to have begun in early 2018.  It currently looks like the campaign was spread across 10 countries: United States, United Kingdom, France, Germany, Italy, Mexico, Portugal, Spain, Brazil, and China.  Few industries have been safe from becoming targets as the group hit organizations in aviation, construction, energy, finance, health care, insurance, software development, and multiple other industries.  While it seems odd that a Chinese APT would target anything within China, the currently unnamed entity was identified as a semiconductor manufacturing company–meaning it would likely contain valuable information for Chinese government-owned manufacturing of semiconductors.   The group typically operates by gaining entry to an organization through exploiting vulnerable webservers.  From there, the group works to identify users with privileged access, such as system administrators (sysadmin).  Keyloggers are then utilized by the group to capture passwords, and in at least one case the group was able to compromise an RSA SecureID two-factor authentication system (2FA).

Analyst Notes

Monitoring typical user trends and investigating anomalies is an extremely important step to defending against attackers abusing accounts with elevated privileges. The group was caught operating for an 8-10 hour period at night which lined up with time zones in China. This meant that activity on the compromised accounts in the European organizations which were compromised began at around 3 AM, when few sysadmins would be in the office working on multiple machines, outside of special cases. By identifying and investigating unusual user activity, compromised accounts in these cases could have been identified much sooner. More activity on this campaign can be found at: