The so-called ‘Putter Panda' cyber espionage group have been operating out of Shanghai since at least 2007, most likely on behalf of Unit 61486 of the Chinese People's Liberation Army (PLA), says CrowdStrike in a detailed 62-page report published on Monday.
Their known targets include space, satellite and remote sensing technology companies, particularly in Europe; aerospace firms, again mainly in Europe; and Japanese and European telecoms companies. Other targets include US defence, government, research and technology organisations.
The hackers sent targeted emails to individuals and these contained remote access Trojans and other malware, which, once opened allowed the attacker to take control of the victim's computer. One lure they used was a fake email brochure for a yoga studio in Toulouse, the heart of the French aerospace industry.
CrowdStrike explains: “They focus their exploits against popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks.”
Adam Meyers, the company's VP of intelligence, said he could not provide further details on the victims, but he told SCMagazineUK.com by email: “We released this report to keep the pressure on and to do our part to help hold China accountable for a massive and unrelenting campaign of industrial espionage.”
CrowdStrike's report also identifies several links between Putter Panda and Unit 61398, the Chinese army hacker group famously exposed by Mandiant last year for targeting European and other commercial organisations.
That Mandiant report indirectly led to last month's indictment of five Chinese army officers in the US on 31 counts of computer hacking and theft of trade secrets - which in turn sparked a war of words between the US and China over their cyber espionage activities, with the US trying to claim some moral high ground on the basis of targeting political and military rather than industrial groups.
CrowdStrike's report lends weight to the US cause, but is bound to inflame the dispute.
The report confirms: “Putter Panda is a determined adversary group, conducting intelligence gathering operations. The strategic objectives for this unit are likely to include obtaining intellectual property and industrial secrets relating to defence technology, particularly those that help enable the unit's suspected mission to conduct space surveillance, remote sensing and interception of satellite communications.
“Putter Panda is likely to continue to aggressively target Western entities that hold valuable information or intellectual property relevant to these interests.”
Commenting on the findings, Dr David Bailey, CTO for cyber security at BAE Systems Applied Intelligence (formerly Detica), told SC via email: “It is interesting how we are now seeing reports of threat actors focused on specific areas of economic interest – in this case satellite technology. This specialisation of labour is inevitable as cyber espionage becomes more industrialised, and illustrates how the threat has evolved over the last decade.”
He added: “Whether naming individuals behind attacks will have an effect is unclear and is unlikely to eliminate the threat given the significant gains a successful attack can achieve. Businesses need to manage and own their risk – identifying key systems, protecting critical assets, monitoring activity on their systems more effectively, and having a well-rehearsed response plans.”
Commenting on behalf of Mandiant, now owned by FireEye, Jason Steer, FireEye's director of technology strategy, said it was important in critical-industry attacks like this to identify who the hackers are.
“In general many organisations don't really have the need, people or budget for APT attribution,” he told SC. “However, industries such as aerospace, utilities and government have a vested interest because they need to know more about the enemy given the value of their IP and importance to society.
“The command and control domains used by hackers can provide clues about who is trying to infiltrate your networks and, most importantly, what would happen to your stolen information if it was compromised by an attack. Attribution tools let you search the firewall, DNS and router logs to see if anyone has been trying to connect to you.
“You can also go as far as connecting to other DNS providers to see how many other domains the suspected user has registered and what they are. This gives you a good profile of who is trying to attack you as well as confirm if the domain is legitimate or not.”
To help firms spot whether they have been targeted, CrowdStrike says: “The following Windows registry artefacts are indicative of a compromised host: ASEP registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run, and value named McUpdate.
“The presence of the following file system artefacts is indicative of a compromised host:
• ssdpsvc.dll, msacem.dll, or mrpmsg.dll
“A file mapping named &*SDKJfhksdf89*DIUKJDSF&*sdfsdf78sdfsdf also indicates the victim machine is compromised with Putter Panda malware.”