What is Emissary Panda, and how does it hack its targets?

In November 2016, the Montreal-based International Civil Aviation Organization (ICAO) was hit by the most serious cyberattack in its history.

Internal documents obtained by CBC suggest key members of the team that should have prevented the attack tried to cover up how badly it was mishandled.

The documents obtained by CBC suggest the hacker was most likely a member of Emissary Panda, a sophisticated and stealthy espionage group with ties to the Chinese government.

Here is a look at the group of hackers, probably from China, suspected of carrying out a cyberattack on the Montreal-based International Civil Aviation Authority how the hackers did it, and what they stood to gain from setting a trap for the world's aviation players.

• Montreal-based UN aviation agency tried to cover up cyberattack, documents show

What is Emissary Panda?

The group of hackers suspected of staging the attack is known by many names among them: TG-3390, APT 27 and Bronze Union.

The cybersecurity firm SecureWorks has a "moderate level of confidence" that the hacker group is sponsored by the People's Republic of China.

In a 2015 report, it based that conclusion on a number of factors:

• Emissary Panda is most active during the Chinese work day between noon and 5 p.m. local time in China.
• The cyberattacker uses the Chinese-language search engine Baidu.
• It has parts of its hacking tools written in Chinese.
• It has staged cyberattacks against the Uyghurs, the Chinese Muslim minority grouprepressed by the Chinese state.

The group has been active for at least 10 years, and it has also staged attacks in North America, South America, Asia, Europe and the Middle East.

Cybersecurity experts consulted by CBC News said the group specializes in "cyberespionage," collecting data from corporate and government targets.

Ali Arasteh, a cybersecurity consultant with the firm FireEye, said many of Emissary Panda's activities align with the economic goals laid out by the Chinese government. It tends to target industries such as energy, aviation, defence and manufacturing, where China wants to gain a competitive edge.

How was the attack carried out?

Cybersecurity expert Jos Fernandez says ICAO was likely not chosen because it was a weak link.

"All targets are relatively easy," Fernandez said.

Emissary Panda uses a variety of methods to access a target's system, such as hacking its webmail server or sending phishing emails including malicious links or attachments.

While it is not known how the hackers got into ICAO's servers, experts on Emissary Panda's hacking activities say it's likely the group had access long before it was detected.

In its 2015 report on Emissary Panda, SecureWorks wrote that the group tends to spend a significant period of time in a target's system before it starts extracting data. Emissary Panda uses this time to find other access points, learn how the network is set up and identify important data.

The hacker group then sets up "strategic web compromises," also known as watering holes. Watering holes are traps on websites that they know targets will visit.

In the case of ICAO, when member states wanted to consult aviation documents online, they would be injected with malicious code that could give the attackers remote control of their computers.

Hackers could then create a chain of watering holes once they gained access to the systems of governments or corporations that visited the first watering hole.

What did the hackers have to gain?

Compromising ICAO would not cause planes to fall out of the sky.

The attack appears to be part of a larger strategic game, said Fernandez. With member states and aviation companies regularly visiting ICAO websites, he said the organization is a "one-stop shop" for encountering the targets of Chinese cyberspies.

According to the SecureWorks report, Emissary Panda often would find trusted websites frequented by political and corporate targets and infect them to gain access to data.

Arasteh, speaking generally about the hacker group's operations, said that data could include intellectual property and travel information for corporate executives and politicians.