Vanguard Panda

Threat Actor updated a month ago (2024-11-29T13:40:08.436Z)

Download STIX

Preview STIX

Vanguard Panda, also known as Volt Typhoon, Bronze Silhouette, Insidious Taurus, and APT41, is a cyberespionage group linked to the Chinese government. Since mid-2021, this threat actor has targeted critical infrastructure sectors including manufacturing, utility, maritime, and government entities in the United States, notably in Guam. The group has demonstrated advanced intrusion tactics and familiarity with the target environment, which has led cybersecurity experts to believe that it follows a specific workflow to backdoor apache-tomcat.jar. The group's activities have escalated since May 2021, when it was recognized as a significant threat to critical infrastructure and military bases. Vanguard Panda has been observed leveraging sophisticated tactics and exploiting critical vulnerabilities, such as the one found in Zoho's ManageEngine ADSelfService Plus, a single sign-on and password management solution. Additionally, the group is believed to be part of a broader Chinese effort to infiltrate utilities, energy-sector companies, military bases, telecom companies, and industrial sites to plant foothold malware for potential disruptive and destructive attacks in the future. Recently, Microsoft exposed another China-linked actor named Volt Typhoon (aka Bronze Silhouette or Vanguard Panda), which has been observed using Living off the Land (LotL) techniques to fly under the radar and exfiltrate data. This development, along with the group's continued activity, suggests that Chinese malware poses a 'ticking time bomb' inside critical US networks. The Chinese state-aligned advanced persistent threat (APT) behind Volt Typhoon came to attention after Microsoft observed Chinese cyber activity in Guam, the site of a strategically significant US military base for the defense of Taiwan against Chinese aggression. As a result, cybersecurity experts recommend a deeper dive into associated activities to determine if other artifacts remain and could confirm the use of specific exploits or indicate another form of exploitation altogether.

Description last updated: 2024-05-04T18:50:14.442Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Volt Typhoon is a possible alias for Vanguard Panda. Volt Typhoon, a state-sponsored threat actor based in China, has been identified as a significant cybersecurity risk to critical infrastructure sectors in the United States. According to Microsoft and the Five Eyes cybersecurity and intelligence agencies, Volt Typhoon has compromised IT environments	3
BRONZE SILHOUETTE is a possible alias for Vanguard Panda. Bronze Silhouette, also known as Volt Typhoon, is a state-sponsored cyberespionage group believed to be operating on behalf of the People's Republic of China (PRC). Notorious for its sophisticated and aggressive cyber tactics, Bronze Silhouette has been implicated in compromising critical infrastruc	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Apache

Malware

Manageengine

Apt

Exploit

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2021-40539 is associated with Vanguard Panda.	Unspecified	2

Source Document References

Information about the Vanguard Panda Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a year ago	China Infiltrates US Critical Infrastructure in Ramp-up to Conflict
DARKReading	a year ago	Feds Confirm Remote Killing of Volt Typhoon's SOHO Botnet
InfoSecurity-magazine	a year ago	US Thwarts Volt Typhoon Espionage Campaign Through Router Disruption
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
CERT-EU	a year ago	China-Linked Flax Typhoon Cyber Espionage Targets Taiwan's Key Sectors
CERT-EU	a year ago	China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure
CrowdStrike	a year ago	Falcon Complete MDR Thwarts VANGUARD PANDA Tradecraft
CERT-EU	a year ago	Novel techniques leveraged in Chinese hacking attacks against critical infrastructure
DARKReading	a year ago	China's 'Volt Typhoon' APT Now Exploits Zoho ManageEngine
BankInfoSecurity	a year ago	Chinese APT Group Uses New Tradecraft to Live Off the Land
CERT-EU	2 years ago	Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	2 years ago	Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks