arrow left Back

Emissary (Pandas) in the Middle East

James Shank (Team Cymru) & Jacomo Piccolini (Team Cymru)
In December, the Iranian government issued a public statement claiming they had 'foiled' an attack by 'the well-known APT27' – but was this really the case?

For several months, we tracked China’s Emissary Panda (a.k.a. APT27, TG-3390, BRONZE UNION, Iron Tiger, LuckyMouse). While our knowledge of tracking real pandas is limited, these cyber-Pandas left behind trails for Team Cymru analysts and partners to trace their activities.

Mapping out these digital paw prints enabled us to identify a significant operation targeting organizations in the Middle East. The threat actors left network fingerprints that we uncovered through NetFlow analysis and other network metadata.

The tradecraft of network forensics is a well-developed discipline within the information security industry. But what happens when we apply that tradecraft to global network visibility?

We reveal Emissary Panda’s tactics, techniques and procedures, and highlight an extensive infrastructure that evolved over time. We show exfiltration paths, command-and-control servers, and what appeared to be a migration from one hosting provider to another. We present network maps that may rival Emissary Panda’s internal documentation.

We share detection methods network defenders can use today to check for Emissary cyber-Pandas in their networks. We identify a significant number of victims across a variety of industries, including the energy, health care, technology, education, travel and government sectors.

Did the Kittens beat back the Pandas?

Our unique visibility shows us the truth behind Iran’s claims, as well as the before, during and after impacts Iran’s actions had on the Emissary Panda campaign and infrastructure.

While real pandas in the wild are sparse, the Emissary cyber-Pandas are still very much prevalent. Their survival outside of their own territory requires stealth, but few can hide when the Team Cymru dragon begins the hunt.
James Shank
Team Cymru Joining Team Cymru ten years ago, James Shank has contributed to several efforts within Team Cymru and within the broader information security community. From the start of his tenure, James served as SME and lead engineer over Team Cymru's highest volume and highest velocity data processing services. He quickly rose through the leadership ranks to become Engineering Team Lead then Manager of Engineering, before joining a team focused on rapid proof-of-concept research and development. With an interest and passion for people over technology, James gravitated towards community-focused efforts and now serves as Chief Architect of Community Services and Senior Security Evangelist. Throughout his career at Team Cymru, James has contributed to community efforts to fight malicious activity online. Serving on the DNS Changer Working Group, contributing to Mirai research efforts, and helping to analyse WireX are a few examples of James' community contributions. Today James focuses on bringing about lasting and substantive changes to information security on a global scale. Recently, James played a part in tracking and analysing the actors and campaign that later became known as Sea Turtle. James participates in many trust-based groups and adhoc task force efforts. Bringing people together to combat international cyber threats is James' main passion. James is always interested in hearing new ideas and thoughts on meaningful ways to impact the state of global security.
Jacomo Piccolini
Team Cymru From 2009 to 2012 Jacomo was one of the mentors behind the Dragon Research Group DRG, a Team Cymru community initiative. He joined the company in 2012 as part of the outreach team and is based in Brazil. Before Team Cymru, he worked at the Brazilian Research and Academic Network, at their Academic CSIRT, and acted as Academic Coordinator for the Educational School’s security and IT governance curriculum. With 21 years of field experience, Jacomo holds a degree in engineering and a post-graduate degree in computer science and business administration. He is a Liaison Member of FIRST and the representative for Team Cymru. Previously Jacomo coordinated hands-on activities for FIRST and is now on the membership committee. Jacomo is also known for his work with several other security communities and trust-based groups. He has been invited to speak around the globe and has hundreds of appearances and keynote talks under his belt. In addition, he has authored several security training courses, and served several years as an instructor at INTERPOL Summer School. At Team Cymru he is responsible for the company’s community services, including the CSIRT Assistance Program (CAP) and the Data Sharing Partnerships. When not working to make our networks safer places, Jacomo spends time on his other great passion, photography. His photography has won national awards, has been featured in publications, and appears in museums.