Mustang Panda, the China-based threat group, is known for its cyber-espionage attacks aimed at Southeast Asia. It has, lately, targeted 10 Indonesian government ministries and agencies. One of the targeted agencies is allegedly Indonesia’s primary intelligence service, Badan Intelijen Negara (BIN).

What happened?

Researchers from Insikt Group discovered the attacks in April. They observed a PlugX malware C2 server (operated by Mustang Panda) communicating with systems hosted inside the networks of government agencies in Indonesia.
  • These communications were traced back to at least March. The intrusion and delivery technique of the malware is still not known.
  • Insikt Group alerted Indonesian authorities about the intrusions in the month of June and then again in the following month. However, officials did not respond to the alerts.
  • Indonesia’s primary intelligence service BIN was one of the most sensitive targets in the attack campaign. Days after that news, researchers confirmed that C2 servers were still actively communicating with Mustang Panda servers.

About Mustang Panda

Mustang Panda is a threat group known for attacking NGOs for espionage purposes. It was first spotted in 2017 but is believed to be active and operating since at least 2014.
  • In July, while examining the Microsoft Exchange Server attacks, a PlugX variant of Mustang Panda was delivered as a post-exploitation RAT at one of the targeted servers.
  • In the same month, an ongoing APT campaign from the Luminousmoth APT group had been discovered. The malicious activity was linked to Mustang Panda.

The response

Indonesia’s national intelligence agency BIN denied the claim that its servers were breached by the Chinese state-sponsored hacking group. However, the agency is still investigating whether other government agencies were affected.


State-sponsored cyberattacks are not new and are motivated by national interest. Mustang Panda is doing the same and is already known for targeting the Southeast Asian region. Thus, enterprises and governments need more efforts to stay protected and stop such cyberattacks.

Cyware Publisher