Cybercrime is always evolving, but some threats persist despite years of change. The Override Panda cybercrime group is one such lingering threat, first appearing in 2005 under the name Naikon. Now, they’re striking again, targeting sensitive information through spear-phishing attacks.
The alleged Chinese state-sponsored cyber-espionage group has been quiet for years, reemerging in 2020 for a few notable attacks. More recently, cybersecurity professionals have connected them to a spear-phishing email, possibly hinting at a larger campaign. Here’s a closer look at this attack, the group behind it and what it means for security pros.
A New Spear Phishing Campaign
The threat intelligence and tracking team Cluster25 reported the Override Panda attack on April 29. The spear-phishing email at the heart of the attack carried a beacon for a penetration tool known as Viper. If users open the Microsoft Word document in the email, it launches a shellcode to inject the beacon and give attackers remote access to the device.
The Viper framework is similar to Cobalt Strike, featuring more than 80 modules to grant attackers access. After infecting its target, the framework moves across the network to expand its access privileges and let attackers execute commands. A successful attack with this tool could give Override Panda long-term access to sensitive documents without users’ knowledge.
While the specific target for this attack remains unclear, Cluster25 suspects it’s a government institution in Southeast Asia, given the group’s history. The infected document itself seems to be a call for tenders written in Chinese, which would fit that target profile.
Override Panda’s History
Spear phishing is far from new. These attacks caused most of the 120,000 business cybercrime complaints officials received a few years ago, leading to $800 million in damages. This most recent incident isn’t Override Panda’s first foray into phishing, either.
In 2020, cybersecurity company Check Point discovered a malicious email supposedly coming from a government embassy they traced to Override Panda. After investigating the incident further, security professionals found that it was part of a campaign that went undetected for five years. Had Check Point not found the email, Override Panda would’ve likely infected government computers and collected documents for several more years.
Cybersecurity researchers also linked the group to espionage campaigns against Southeast Asian military organizations in April 2021. Later that same year, they seemed to be a part of attacks against telecom companies dating back to 2020.
How Can You Stay Safe?
Override Panda’s persistence and ability to slip under the radar should raise alarms for businesses and security professionals. The backdoors this group and others like it use are growing more sophisticated, so organizations’ best line of defense is to stop them from appearing in the first place.
The best defense against phishing is employee training. Research suggests that 88% of data breaches result from insider mistakes, which implies that reducing employee error could prevent most breaches. All work
ers, regardless of role and access level, should undergo training on spotting phishing attempts and practicing strong credential management.
Restricting access privileges and using multi-factor authentication can help, too, as this mitigates a successful phishing attempt’s impact. However, remember that some attackers’ software slowly increases permissions, so these steps aren’t perfect fixes.
Regular network auditing should become a part of every IT team’s routine. Since these attacks can go undetected, it’s best to routinely check for any unusual activity or files to uncover attacks that slipped through initial defenses.
Stay Up-to-Date About All Emerging Threats
This spear-phishing campaign won’t likely be Override Panda’s last. It should stand as a reminder that cybercrime threats can persist for years and no organization can assume they’re 100% safe.
Staying informed about these developments can help security teams understand the threats they face. They can then take any necessary steps to keep their defenses up-to-date.
