top of page

Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu Kittens

Mitre

Nil

Alias

Technetium, Shell Crew, Pinkpanther, Turbine Panda, Apt 26, Kungfu Kittens, Black Vine, Webmasters, Bronze Express, Apt26, Jerseymikes, Hippo Team, Group 13

Country

China

Sponsor

The Jiangsu Bureau Of The Mss (jssd/????????), State-sponsored

Motivation

Information Theft And Espionage, Financial Crime

First Seen

2010

Description

(RSA) During recent engagements, the RSA IR Team has responded to multiple incidents involving a common adversary targeting each client�s infrastructure and assets. The RSA IR Team is referring to this threat group internally as �Shell_Crew�; however, they are also referred to as Deep Panda, WebMasters, KungFu Kittens, SportsFans, and PinkPanther amongst the security community.

Some analysts track Turbine Panda, {{DarkHydrus, LazyMeerkat}} and {{APT 19, Deep Panda, C0d0so0}} as the same group, but it is unclear from open source information if the groups are the same.
Turbine Panda has some overlap with {{Emissary Panda, APT 27, LuckyMouse, Bronze Union}}.

Targeted
Industries

Food And Agriculture, Government, Aerospace, Non-profit Organizations, Defense, Energy, Financial, Telecommunications, Healthcare, Aviation, Think Tanks

Targeted
Countries

Usa, Canada, Denmark, Uk, Germany, Italy, France, Southeast Asia, India, Australia, China

Tools

Winnti
Derusbi
Sakula Rat
Hurix
Cobalt
Sakula
Streamex
Living Off The Land
Formerfirstrat
Living
Mivast
Plugx
Cobalt Strike

TTP

Nil

Operations
Performed

[2012-12] attack And Ie 0day Information Used Against Council On Foreign Relations (regarding Information�s Posted On The Washington Free Beacon, Infected Cfr.org Website Was Used To Attack Visitors In Order To Extract Valuable Information�s. The �drive-by� Attack Was Detected Around 2:00 Pm On Wednesday 26 December And Cfr Members Who Visited The Website Between Wednesday And Thursday Could Have Been Infected And Their Data Compromised, The Specialists Said. (https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/)

[2012-12] capstone Turbine Corporation Also Targeted In The Cfr Watering Hole Attack (https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/)

[2015-05] streamex Malware (cylance Spear Has Identified A Newer Family Of Samples Deployed By Shell Crew That Has Flown Under Av�s Radar For More Than A Year And A Half. Simple Programmatic Techniques Continue To Be Effective In Evading Signature-based Detection. (https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html

Counter
Operations

'date': '2018-10', 'activity': 'chinese Intelligence Officers And Their Recruited Hackers And Insiders Conspired To Steal Sensitive Commercial Aviation And Technological Data For Years (https://www.justice.gov/opa/pr/chinese-intelligence-officers-and-their-recruited-hackers-and-insiders-conspired-steal (https://www.justice.gov/opa/pr/chinese-intelligence-officer-charged-economic-espionage-involving-theft-trade-secrets-leading (https://www.justice.gov/opa/pr/jury-convicts-chinese-intelligence-officer-espionage-crimes-attempting-steal-trade-secrets'

Information

https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/h12756-wp-shell-crew.pdf
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf
https://www.crowdstrike.com/resources/wp-content/brochures/reports/huge-fan-of-your-work-intelligence-report.pdf

bottom of page