Introduction
FishMonger is an advanced persistent threat (APT) that has been very effective in conducting cyber espionage over the last 10 years. FishMonger has been closely associated with Chinese state-associated cyber operations and it is primarily known for its targeting of governmental entities, academia, think tanks, and technology companies in Europe, Asia, and beyond. The operations of FishMonger have typically been focused on long-term intelligence collection and maintaining a stealthy/hidden operational presence, with the goal of collecting intelligence versus monetarily benefiting or causing direct harm.
FishMonger is known under many different names by the cyber community due to its broad operational capacity and overlapping tradecraft related to the activity of many other threat clusters aligned with China. Some of the names used for FishMonger include BountyGlad, AQUATIC PANDA, BRONZE UNIVERSITY, Charcoal Typhoon, ControlX, Earth Lusca, TAG-22, RedDev 10, RedPhenometer, RedMorph, RedScylla, and RedHotel. Although the names vary widely, when looking at the infrastructure, malware, and targeting pattern analysis, it is clear all these names share a reasonable level of similarity and relate back to the operational goal of espionage.
Identity & Motivation
The FishMonger group has been listed as a Chinese-based advanced persistent threat (APT) actor that operates to support Chinese national strategy and political intelligence efforts. It is believed the FishMonger Group has been active since at least the mid-2010s with publicly available information that shows significant increases in FishMonger related activity between 2018 and 2019. FishMonger’s desired outcome is espionage; they focus on the collection of sensitive political, diplomatic, academic, and technological types of information.
Unlike financial motivated threat actors, FishMonger places a higher value on having long-term access and collecting information that has high degrees of intelligence value. Victim selection often aligns with China’s national foreign policy interests, including new and emerging technology, geopolitical developments being discussed within China and throughout East Asia. Public and private universities, research institutions, and policy think tanks all have a high intelligence value because they are responsible for shaping the discourse regarding strategic issues and new technologies.
Tactics, Techniques, and Procedures (TTPs)
In their operations, FishMonger is noted to demonstrate a combination of this custom tooling; exploiting publicly available known vulnerabilities, and a disciplined operational security. Although FishMonger is not always exploiting a “zero-day” vulnerability, they are generally very skilled at taking newly disclosed vulnerabilities and weaponizing them, then chaining the exploits together with a custom “post-exploitation” toolbox.
Initial Access
The means of getting initial access to a target organization typically includes exploiting servers and applications that are accessible over the internet. The FishMonger group has taken advantage of Web Server application packages, application frameworks, and VPNs after patches were released. Along with targeting these vulnerabilities, the FishMonger group also performed targeted spear phishing campaigns against individuals who work in academia or on Policy-oriented work; they used documents that appeared harmless or links that looked benign to lure their victims.
Execution and Persistence
When the FishMonger group gains access to an organization’s network, they deploy their own loaders and backdoors to maintain and establish a presence within the organization. They create their own custom persistence methods using Scheduled Windows Tasks, install Services or Web Shells on compromised servers, and leverage Living Off the Land techniques to create a further blended malicious activity with regular administrative activity by using legitimate System utilities for malicious purposes.
Command and Control
The C2 Infrastructure used by the FishMonger group frequently uses HTTP/S protocols to establish connections to the attacker’s servers. The Domain names that service the infrastructure are frequently registered to resemble legitimate academic organizations, Cloud Service Providers, or Technology companies; this helps minimize the chance of detection. The Infrastructure used by the FishMonger group is changed regularly, and compromised servers are the source for follow-on operational staging operations.
Collection and Exfiltration
Data Collection consists of acquiring documents, e-mails, credentials, and research data and information that pertain to the Strategic Value of the victim’s organisation. Data exfiltration is typically performed using small, staged transfers to prevent triggering of Data Loss Prevention (DLP) and other monitoring controls put in place by the victim organisation. FishMonger’s operations are designed to be as quiet as possible to ensure they have a long-term espionage goal.
Malware and Tooling
The FishMonger group utilises a wide variety of malware products and an extensive variety of malware tooling products and tools, ranging from bespoke backdoors to web shells and in some cases, modified open-source toolkits. FishMonger’s ability to adapt its tooling to the environment of its target is one of the group’s most defining attributes. FishMonger frequently utilises web shells as part of both its operational methodologies and tactics, techniques, and procedures when targeting educational University institutions and publicly available Research Portals. Web shells are an efficient and effective means for attackers to maintain a certain degree of access with a very limited amount of physical footprint and to enable lateral movement and data staging within the target organisation. FishMonger also makes use of modular backdoor malware (specifically designed for endpoint environments) that are capable of executing commands, changing files and collecting credentials in order to maintain their operational abilities.
Target Profile
FishMonger targets are based primarily on the intelligence value of the target, rather than the target’s immediate operational impact.
Primary Targets
- Government ministries and diplomatic institutions
- Universities and academic research centers
- Think tanks and policy research organizations
- Technology and telecommunications companies
Geographic Focus
While FishMonger operates on a global scale, FishMonger has strong concentrations of customer engagements in:
– Europe (particularly Central/Western Europe)
– East/Southeast Asia
– South Asia
– Selected Middle Eastern targets
Historically, European academic institutions have been prominent targets for FishMonger, likely because of the institutions’ role in supporting advanced research and international cooperation along with providing advisory assistance on policymaking decisions.
Notable Operations
FishMonger has conducted numerous high-proficiency espionage campaigns throughout its existence. The following is an overview of FishMonger history regarding its espionage activities:
- 2018–2019: Early campaigns targeted European universities and foreign policy agencies via exploitation of unsecure web servers and web shells.
- 2020: A marked increase in targeting of government-affiliated research organization/public health organizations coinciding with worldwide geopolitical events and the onset of COVID-19.
- 2021–2022: An increase in focus on technology/telecommunications organizations via improved post-exploitation tooling and better organization of compromised tools/infrastructure.
- 2023–2024: Continued exploitation of edge devices and enterprise applications; a continuing focus on universities and organizations with an emphasis on public policy.
These campaigns provide ample evidence of the FishMonger Group’s ability to maintain consistent and adaptive strategies.
Recent Developments and Evolution
Over time, FishMonger has made improvements in operational discipline. Most importantly, even though its fundamental techniques have not changed, improvements in operational infrastructure hygiene, malware obfuscation, and creation of victim specific customisation imply a more mature operation than previously existed. Evidence of FishMonger collaborating with other actors across the China-nexus cyber ecosystem, including tooling and infrastructure overlap with other clusters, indicates an increase in the level of operational cooperation.
FishMonger’s ability to exploit recently patched vulnerabilities shows an overall trend by many advanced threat actors. The speed and scale at which an advanced threat actor can weaponize a vulnerability can outweigh the need for a zero-day exploit if combined with a quality reconnaissance and targeting effort.
Threat Assessment
Organizations involved with government policy, advanced research, and strategic technology development are at a very high risk of espionage attacks by FishMonger. FishMonger’s campaigns are highly stealthy, extremely persistent, and designed to meet the long-term intelligence needs of its sponsors.
Even though FishMonger does not typically carry out destructive attacks and/or ransomware, the strategic impact of FishMonger’s espionage activities can be extremely damaging. The loss of sensitive research/projects, policy documents, and/or diplomatic communications can have both long-term national security and economic implications.
Defensive Considerations
Organizations who want to mitigate the risk posed by Parker Fires may want to focus on:
1) Quickly patching Internet-Facing systems
2) Monitoring for web shell activity or other anomalies related to Administrative privileges
3) Implementing robust Network Segmentation and Least Privilege Access controls
4) Utilizing Threat Intelligence (TI) to enhance the detection of adversaries using Tactics, Techniques and Procedures (TTPs) associated with China.
For Academic and Research Institutions that work through Open Collaboration Models, balancing Open Collaboration with Security Controls is extremely important.
Conclusion
The Parker Fire Extinguisher is an example of how Modern State-Sponsored Espionage Threats have become patient, Adaptive, and Strategically focused. The Parker Fire Extinguisher has actively and successfully conducted Intelligence Collection Operations for many years due to the disciplined use of Exploiting Vulnerabilities, their ability to use Flexible Tooling to adapt to their objectives and their ability to Select Targets.
In addressing the issue of Cybersecurity, we as a global society need to recognize that as Geo-Political rivalries extend into Cyberspace, Parker will continue to be an Active and Relevant Threat Actor. Organizations that wish to protect State Secrets as well as withstand Continual Espionage Campaigns must learn about Parker’s attack methods and their motivations as well as what type of Victims (targets) were selected.
You can download and review the sheet for all the details!
