FYI.

This story is over 5 years old.

Tech

China's 'Putter Panda' Cyber-Spies Have Been Hacking the US Aerospace Industry

A new report ties the cyberespionage crew to the Chinese military.
Image: Wikimedia Commons

The name may sound like a particularly adorable breed of Panda bear, but according to a new report, the Chinese cyberespionage group codenamed "Putter Panda" is responsible for a range of "intelligence-gathering operations"—cyberattacks—against the technology, research, defense, and government sectors in the US, UK, and Japan.

The cybersecurity firm CrowdStrike reported that the hacker group has specifically been snooping around the US satellite and aerospace industry for several years.

Advertisement

"Targeted economic espionage campaigns compromise technological advantage, diminish global competition, and ultimately have no geographic borders," CrowdStrike wrote in a statement released with the report.

Disguising themselves as average workers, Putter Panda is sponsored by the Chinese People's Liberation Army (PLA), according to the report. CrowdStrike claimed that the public disclosure of Putter Panda's activities will "keep the pressure on" following the recent US indictments of five Chinese military hackers associated with the PLA.

China, however, has denied the cyberespionage allegations. "In response to repeated, legitimate, and well-documented evidence of criminal activity the [People's Republic of China] predictably responds with denials, redirection, and intimidation," wrote CrowdStrike.

The Chinese government called the claims "absurd" and based on “fabricated facts” and said that "the Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets," according to the report.

But the report features photos that hint at Putter Panda's possible military connections, and security experts are now tracking over 70 different threat actors. The report is based on months of wide-ranging analysis, from domain name registries and connections to the Comment Panda and Vixen Panda groups to the now possibly defunct 711 Network Security Team, which ran an email service and forum where Chinese hackers read security-based articles.

Advertisement

The security report links the cyberespionage group with the Justice Department's indictments against five Chinese nationals conducting economic espionage against US corporations. "The five known state actors are officers in Unit 61398 of the Chinese People’s Liberation Army," wrote CrowdStrike CEO George Kurtz.

The Justice Department's indictments are "the tip of a very large iceberg," he wrote.

A possible photo of Chen Ping, aka "cpyy", believed responsible for Putter Panda's malware command and control domain. Image: CrowdStrike

"Those reading the indictment should not conclude that the People’s Republic of China (PRC) hacking campaign is limited to five soldiers in one military unit, or that they solely target the United States government and corporations," wrote Kurtz. "Rather, China’s decade-long economic espionage campaign is massive and unrelenting. Through widespread espionage campaigns, Chinese threat actors are targeting companies and governments in every part of the globe."

Putter Panda, according to CrowdStrike, has documented activity going back to 2007, but CrowdStrike only started monitoring the group in 2012. Chen Ping, aka "cpyy", is identified in the report as the individual responsible for the domain registration for the command and control of the Putter Panda malware.

The report also discloses the primary location of Unit 61486—the Shanghai headquarters of the 12th Bureau. CrowdStrike also noted that the 12th Bureau PLA's GSD Third Department is "generally acknowledged to be China’s premier Signals Intelligence (SIGINT) unit."

Advertisement

The report gives details on a wide set of tools used by Putter Panda, including Remote Access Tools (RATs).

"RATs are used by the Putter Panda actors to conduct intelligence-gathering operations with a significant focus on the space technology sector," CrowdStrike reported. "This toolset provides a wide degree of control over a victim system and can provide the opportunity to deploy additional tools at will," focusing their exploits against "popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted email attacks."

As to how CrowdStrike obtained the information on Putter Panda, Unit 61486 (the 12th Bureau of the PLA's 3rd General Staff Department [GSD]), the group noted it engaged in "tenacious reverse engineering, intelligence analysis, and cultural/linguistic specialists." A bit opaque, to be sure, but they aren't about to reveal the full extent of their own intelligence gathering operations.

The report's hard stance is somewhat ironic given the international community's paranoia over possible US economic espionage in the wake of NSA leaks. And it's not as if this activity is without precedent. Remember, the Cold War was a time of intense economic espionage. The US government would have us believe that only the Soviets engaged in this type of espionage, but common sense indicates it was probably a mutual game.

In the end, neither the report nor the Justice Department indictments of Unit 61398 should do little to curb cyberespionage. If anything, it will likely ramp up economic espionage and state-sponsored hacking on both the American and Chinese fronts. A veritable cold war of hacking is just over the horizon. Hell, one might even argue that it's already here.