Mustang Panda, a China-aligned espionage group, has shifted its command-and-control infrastructure to legitimate cloud synchronization services, according to a June 29 report. The group’s ongoing campaigns against Indian government administrative networks and regional hydropower facilities demonstrate a tactical evolution that effectively bypasses traditional network perimeter defenses.
Researchers at the Acronis Threat Research Unit uncovered active compromises within targeted environments, including workstations used by senior administrative staff. Investigators found that operators are embedding malicious instructions and data exfiltration routines directly into Zoho WorkDrive’s native API traffic. By routing operations through routine cloud synchronization, attackers mask malicious activity within standard enterprise workflows, rendering legacy security tools largely blind to the intrusion.
This "living-off-the-cloud" methodology exposes the limitations of conventional firewalls and signature-based detection. Security experts stress that defending against such cloud-native tactics requires a fundamental architectural pivot toward identity- and data-centric security models. Organizations must now prioritize continuous SaaS log monitoring, baseline modeling of normal API behavior, and rigorous auditing of both sanctioned and shadow IT integrations.
For DevSecOps and security operations teams, the findings underscore the need to bake zero-trust verification and automated SaaS posture management directly into CI/CD pipelines. High-privilege accounts should be isolated behind strict identity governance and enforced multi-factor authentication, while application allowlisting can shrink the attack surface before deployment. Behavioral telemetry capable of flagging anomalous API call volumes, irregular sync intervals, and unauthorized third-party connections is now a baseline requirement.
The open-source security community is increasingly turning to AI-assisted log analysis to accurately model SaaS behavior and reduce false-positive rates. Coupling these tools with real-time threat intelligence feeds tracking adversary infrastructure can significantly accelerate incident triage. To operationalize these defenses, organizations should invest in targeted training for cloud-native forensics, API security auditing, and identity governance.
While the current campaigns remain regionally focused, the underlying methodology offers a scalable blueprint for future state-sponsored espionage. As legitimate cloud platforms become indispensable to enterprise operations, IT teams must treat SaaS environments as dynamic attack surfaces requiring continuous monitoring, strict access controls, and proactive threat hunting.
根據6月29日的報告,與中國有關聯的間諜組織 Mustang Panda 已將其指揮與控制(C2)基礎設施轉移至合法的雲端同步服務。該組織針對印度政府行政網絡及區域水力發電設施的持續攻擊行動,顯示其戰術已出現演變,能有效繞過傳統的網絡邊界防禦。
Acronis 威脅研究部門的研究人員在受攻擊環境中發現活躍的入侵跡象,其中包括高級行政人員使用的工作站。調查人員發現,攻擊者正將惡意指令及數據外洩程序直接嵌入 Zoho WorkDrive 的原生 API 流量中。透過將操作路由至常規的雲端同步流程,攻擊者得以將惡意活動掩蓋於標準企業工作流程之內,致使傳統安全工具對入侵行為幾乎無法察覺。
這種「依賴雲端」(living-off-the-cloud)的戰術手法,暴露了傳統防火牆及基於特徵碼檢測的局限性。安全專家強調,防禦此類雲端原生戰術需要進行根本性的架構轉型,轉向以身份和數據為核心的安全模型。機構現必須優先落實持續的 SaaS 日誌監控、建立正常 API 行為的基準模型,以及對獲批准及影子 IT 整合進行嚴格審計。
對於 DevSecOps 及安全營運團隊而言,此發現突顯了必須將零信任驗證及自動化 SaaS 態勢管理直接整合至 CI/CD pipeline 的迫切性。高權限帳戶應置於嚴格的身份治理及強制多因素驗證之後,同時在部署前透過應用程式白名單機制縮減攻擊面。能夠標記異常 API 呼叫量、不規則同步間隔及未經授權第三方連接的行為遙測數據,現已成為基本的安全要求。
開源安全社群正日益轉向 AI 輔助日誌分析,以準確建模 SaaS 行為並降低誤報率。將這些工具與追蹤對手基礎設施的實時威脅情報 feed 結合,可顯著加快事件分流與初步評估的速度。為將這些防禦措施付諸實行,機構應投資針對雲端原生數碼鑑證、API 安全審計及身份治理的專項培訓。
儘管目前的攻擊行動仍聚焦於特定區域,但其底層戰術手法為未來的國家資助間諜活動提供了可擴展的藍圖。隨著合法雲端平台對企業營運變得不可或缺,IT 團隊必須將 SaaS 環境視為動態攻擊面,並實施持續監控、嚴格存取控制及主動威脅搜尋。