<— Back

Hitching a ride with Mustang Panda

Early this year, we stumbled upon a distribution server connected to security incidents affecting various institutions in Myanmar. A brief investigation revealed that the server was used for multiple attacks across the country, as well as a transition point for exfiltrated data.

Further inspection of the exfiltrated data revealed many high-profile government victims including police, army, and the Office of the State Administrative Council. Various political NGOs and the government opposition, including Karenni Nationalities Defense Force (the armed wing of the exile government), were also among the victims. Many sensitive documents were found on the server, for instance documents from the Office of the Chief Myanmar Air Defense Force with a list of staff along with their salaries, photo IDs, and family details. Gigabytes of data were exfiltrated on a daily basis, hinting at a large-scale operation. The Ministry of Immigration and Population was also breached, and thus passport scans from visa applicants, including diplomats, from various countries such as China, USA, and Great Britain were found.

The distribution server contained dozens of archives with various toolsets, some of them novel, while others were previously described and linked to the Mustang Panda group. The toolsets could be grouped into two groups: The first typically contained Korplug or other custom remote access tools. These were often accompanied by an USB launcher written in Delphi that has been previously associated with LuminousMoth. The second contained single-purpose tools that were selectively used against the targets.

Surprisingly, the group’s operational security was also rather poor, allowing us to map the operation, track the development while resisting attempts to shake us off. This, together with the indiscriminate targeting and the tremendous scale of the operation with an impact on both civilians and diplomats around the world, makes an interesting case to study.