- A China-linked cyberespionage group is targeting South Africa's telecommunications and banking sectors.
- Attacks led by Mustang Panda have been especially prevalent over the last three months, said cybersecurity company Trellix.
- In the past, these attacks have been closely linked to the debate around 5G and Chinese technology.
- The group has used fake recruitment sites to lure victims.
- Once a device has been infected, data is quickly exfiltrated and can be used for numerous nefarious ends.
- For more stories go to www.BusinessInsider.co.za.
South Africa's cyberspace has seen an increasing number of attacks linked to a China-based threat actor known as Mustang Panda that's targeting telecommunications and banks, sometimes through false recruitment sites.
Attacks on South Africa's vulnerable cyberspace are increasing. Data gathered by cybersecurity company Trellix shows a sustained surge in threats during the first quarter of 2022, which is not entirely unusual considering the holiday-associated lull in December and January.
The nature of these threats and intentions of the cybercriminals are, however, cause for alarm and extra vigilance. Trellix revealed, during its cyber threat intelligence briefing for South Africa on Wednesday, some of the main actors that have been especially active in 2022 so far.
Chief among these is Mustang Panda, also sometimes referred to as "RedDelta" or "Bronze President".
The China-linked cyberespionage group has been active for the last decade, but its attacks have increased significantly since the start of the Covid-19 pandemic. Its primary objective has been to gather intelligence on NGOs, non-profits, religious organisations, and think tanks in the United States and Europe.
In 2021, the McAfee Advanced Threat Research (ATR) Strategic Intelligence team, now Trellix, uncovered an espionage campaign targeting telecommunication companies, dubbed Operation Diànxùn. Trellix believes, "with a moderate level of confidence", that this specific campaign, attributed to Mustang Panda, "has to do with the ban of Chinese technology in the global 5G roll-out."
"Mustang Panda is quite prolific in South Africa for the last three months," said Carlo Bolzonello, South Africa country lead for Trellix, during Wednesday's briefing.
"From a South African perspective, they've been very active in the last three months around the banking and wealth management sector."
Mustang Panda is believed to support the Chinese government, added John Fokker, head of cyber investigations and principal engineer at Trellix.
"In the past, especially in Europe, there was a big debate around 5G and about replacing 5G technology with specific Chinese-built technology at the core. And from a security perspective, this was a big debate," said Fokker.
"And what we observed was Mustang Panda targeting telecommunications sectors in countries where this debate was most likely. And how they actually did it… they did actually have a fake career site, so we assume they posed as recruiters trying to recruit individuals with technical knowledge within the telecommunications sector and persuade them to open a file and then infect their computer."
The ultimate goal of this campaign, according to Fokker, was to determine the position of a specific telecommunications company towards Chinese manufacturers.
Although recently noted for its attacks on South Africa's banking and wealth management sector, Bolzonello added that attacks on the country's telecommunication sector were also witnessed during the debate around 5G technology.
"Mustang Panda is there to collect data, stick around, and exfiltrate data out and that data could be used for numerous different things," said Bolzonello.
"So, the risk is quite high with someone like a Mustang Panda that definitely has a reason to be there, in your environment."
Mustang Panda generally utilises PlugX – part of the Remote Access Trojan (RAT) malware family – disguised as a legitimate file. Once downloaded, Mustang Panda effectively creates a backdoor for remote control of the victim's device, with the ability to monitor the user's activity and access data.