Description
[Deep Panda](https://attack.mitre.org/groups/G0009) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to [Deep Panda](https://attack.mitre.org/groups/G0009). (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) [Deep Panda](https://attack.mitre.org/groups/G0009) also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track [Deep Panda](https://attack.mitre.org/groups/G0009) and [APT19](https://attack.mitre.org/groups/G0073) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016)
Techniques Used (TTPs)
- T1057 — Process Discovery (discovery)
- T1018 — Remote System Discovery (discovery)
- T1505.003 — Web Shell (persistence)
- T1027.005 — Indicator Removal from Tools (defense-evasion)
- T1218.010 — Regsvr32 (defense-evasion)
- T1564.003 — Hidden Window (defense-evasion)
- T1059.001 — PowerShell (execution)
- T1546.008 — Accessibility Features (privilege-escalation, persistence)
- T1047 — Windows Management Instrumentation (execution)
- T1021.002 — SMB/Windows Admin Shares (lateral-movement)
Total TTPs: 10