CYBERSECURITY experts have revealed that the notorious Chinese hacking group Mustang Panda launched a series of cyberattacks on the Philippines government in August 2023, a period marked by escalating tensions between the two nations over the disputed South China Sea. This was revealed in a report by Israel-based Cyberint, a leading global threat intelligence expert.
The attacks, part of at least three broader cyber espionage campaigns in the South Pacific, exploited legitimate software like Solid PDF Creator and an Indonesian antivirus solution to drop malicious code onto Philippine government systems. The hackers also cleverly disguised their malware’s communications to blend in with legitimate Microsoft traffic.
The cyberattacks coincide with a period of strained relations between China and the Philippines. In early August, a Chinese Coast Guard ship fired water cannons at a Philippine vessel delivering supplies to the disputed Second Thomas Shoal. The Philippines has since announced plans for joint patrols with the United States and naval exercises with Australia, and reportedly severed communications with its Chinese counterparts.
Mustang Panda is a Chinese advanced persistent threat (APT) group with a history of cyberespionage dating back to at least 2012. Believed to be linked to the Chinese government, the group has targeted government agencies, nonprofits, and other organizations across North America, Europe, and Asia.
In the August 2023 campaigns, Mustang Panda hackers used social engineering tactics, luring victims with seemingly innocuous ZIP files named “meeting minutes” or “Labour Statement.” Upon opening the files, unsuspecting targets would unknowingly execute malware disguised as legitimate PDF software, leading to the compromise of their systems. Security researchers indicate that a Philippine government entity was likely compromised for at least five days in August.
Security experts emphasize the ongoing threat posed by Mustang Panda and similar state-sponsored hacking groups. Organizations, particularly those in sectors of geopolitical interest, are strongly advised to implement robust cybersecurity measures, train employees to spot social engineering attempts, and maintain software updates to address vulnerabilities.
