Chinese Hackers Are Monitoring Oil Interests in Iraq by Spying on US Think Tanks

Shortly after Islamic State of Iraq and the Levant (ISIS) insurgents started causing chaos in Iraq, Chinese hackers were on the scene to determine whether the nation’s oil interests in the country were in danger. And now, they're targeting US think tanks to do so. At least, that’s what US security company CrowdStrike has suggested in a report that outlines the activities of a group it calls Deep Panda.

CrowdStrike believes that Deep Panda has the backing of the Chinese government and reports that it was focused on hoovering up valuable information from nearby nations in Southeast Asia. That was until, on June 18—the day ISIS launched its attack on the Baiji oil refinery—​it started targeting US think tanks and individuals with a special interest in Iraq. The researchers are certain China is interested in protecting its oil investments, as the superpower relies on the troubled Middle Eastern state as its fifth-largest source of crude oil imports. China is also the biggest outside investor in Iraqi oil.

CrowdStrike’s findings came to light after it started working with a number of think tanks and human rights bodies. It emerged that the Deep Panda group had been trying to hack the email accounts of former senior government officials at these organisations, especially those who still had contact with people of interest inside Western governments. Once it acquired access to those email accounts, it not only siphoned off useful communications, but tried to infect others by sending out messages with malware attached to attractive targets, the US firm said. The names of the affected organisations haven’t been revealed.

The researchers used their intelligence systems to determine the nature of the attackers. They found the hacker crew sent emails containing an executable file to targets. That file would then download a Remote Access Trojan known as MadHatter to silently collect information from targets’ Macs and PCs. As it runs from memory, MadHatter leaves very little behind, making it tricky for standard protections to detect.

It should be no surprise Iraq’s strife has inspired an uptick in such cyber activity—physical conflict almost always comes with a cyber element in today’s world. In late June, security intelligence company IntelCrawler said there had been an increase in malicious activities seen coming out of Iraqi internet providers thanks to a slew of new botnets. They wrote that this "correlates with other geopolitical conflicts where state-sponsored activities in cyberspace try to affect outcomes on the ground."

Meanwhile, the latest actions of the Deep Panda group will add to mounting evidence of widespread Chinese-sponsored digital espionage. “Chinese-based 'bad actors' are prolific and simple metrics of attack detection by IP address put China’s IP address space regularly at the top of the charts,” Will Semple, vice president of research and intelligence for security company Alert Logic, told me.

“While this is a crude metric and not enough to point the virtual finger, it does allow security researchers and intelligence analysts to begin to build a profile. When we examine the breach attempts at our customers, we start to put together a lot of convincing data that point to groups that originate from China and display links to government support.”

China has repeatedly denied it uses hacking techniques of any kind. Five members of the nation’s People’s Liberation Army were recently charged by the US for alleged attacks on US companies. China was irate at the accusations, refusing to hand over any of the PLA soldiers named and calling on the Obama administration to retract the indictment.

Don't expect to hear much in response to these latest findings.