Report: Hackers With China Ties Linked to Global Password Thefts
November 12, 2021
A U.S. cybersecurity firm says a hacking group possibly linked
to China has breached nine global organizations including at
least one in the United States.
The report by Palo Alto Networks of Santa Clara, California,
said it found malicious actors were actively stealing passwords
from target organizations with the goal of maintaining long-term
The report said from September 22 into early October, the
hackers compromised at least nine entities in sectors such as
technology, defense, health care, energy and education. None is
identified in the report. One organization is in the United
Ryan Olson, vice president of threat intelligence at Palo Alto
Networks, said that “any company doing business with the
Pentagon could have a range of data in their emails about
defense contracts that could be of interest to foreign spies.”
Nicholas Eftimiades, an assistant teaching professor at Penn
State University and a former CIA intelligence officer, told VOA
Mandarin the tactics used in these attacks are usually employed
against foreign governments. In this case, the hacking group
used the tactics against commercial interests on a global scale.
Eftimiades added that if these attacks had not been detected,
the threat group would have gained access to thousands of
companies and been able to conduct espionage from those
The report was released on the Palo Alto Networks website on
November 7. The Chinese Ministry of State Security did not
respond to VOA’s request for comment.
Olson told CNN, which first reported the breach, that “in
aggregate, access to that information can be really valuable,”
adding, “even if it's not classified information, even if it's
just information about how the business is doing."
Palo Alto Networks said it detected two programs that were used,
Godzilla and NGLite.
Both included instructions in Chinese “and are publicly
available for download on GitHub,” said the firm’s report.
GitHub is used by millions of developers and companies worldwide
for many things including sharing computer code.
The cybersecurity firm added that the tactics used in the
attacks appear similar to those used by Emissary Panda, a
Chinese threat group that has been active since 2010.
The group has been active in the Middle East and has attacked
U.S. defense contractors in the past, according to
teampassword.com, a cyber-security firm.
Olson told Newsweek that "based on the tools and techniques used
in this campaign we see an overlap with Emissary Panda/APT27."
But he also stressed that the firm has yet to conclusively
attribute the attacks to a threat group.
Palo Alto Networks did not disclose the names of any of the
organizations that were attacked, but said the company is
sharing information to raise awareness of threats and to fix the
vulnerabilities exploited by hackers.
The firm has been working with the Cybersecurity and
Infrastructure Security Agency (CISA), a U.S. federal agency
responsible for strengthening cybersecurity and communications
Goldstein, executive assistant director for cybersecurity at
CISA, told VOA Mandarin via email that CISA was working with
Palo Alto Network to “understand, amplify and drive action in
response to the activity identified in this report.” The agency
has been working with the private sector through a Joint Cyber
Defense Collaborative program.
Eftimiades, the retired intelligence officer, said private
companies usually are not equipped to deal with this type of
He said that governments around the world, especially the U.S.
government, should develop a deterrence policy to reduce or stop
these types of attacks and develop a global alliance to respond
to such attacks.
The Wall Street Journal reported last month that the U.S. State
Department is prepared to create a new bureau of cyberspace and
digital policy and a special envoy responsible for critical and
emergency technology, in order to better confront cybersecurity