With indictments still fresh against a handful of Chinese nationals accused of hacking American companies and stealing intellectual property, another branch of the People’s Liberation Army and allegedly one of its officers have been outed for cyberespionage against U.S. and European aerospace and satellite companies.
Unit 61486 of the PLA Third General Staff Department 12th Bureau, code named Putter Panda by American security company CrowdStrike, is alleged to have carried out APT-style espionage campaigns, exfiltrating data from a number of unnamed companies in the space and defense industries.
CrowdStrike’s report on Putter Panda also connects a number of dots to identify an individual named Chen Ping, also known as cpyy, as the person who registered domains associated with the espionage campaign. The report also points overlaps in intelligence and information sharing between Unit 61486 and Unit 61386, commonly known as the Comment Crew, which was identified by Mandiant in its APT1 report.
Using open source intelligence, Ping is identified as having listed himself as Chinese military and police, and trained by the 12th Bureau, CrowdStrike executives aid. The company, which markets itself as a threat intelligence firm among other services, said it released the report in response to China’s condemnation of the May 19 indictments and denials that it does not engage is such activity.
“This is one of the better attributions we’ve had in the community,” said CrowdStrike cofounder and CTO Dmitri Alperovich. “It’s incontrovertible that it’s not just five individuals, but other PLA officers and another PLA unit. This is part of their systematic activity against the U.S. government to steal intellectual property from U.S. companies. We wanted to apply pressure on [the PLA] and highlight to other hackers in China that you cannot hide behind a wall of anonymity.”
Ping’s downfall was his insistence on using his cpyy moniker to register domains used as command and control in the Putter Panda campaign. CrowdStrike was also able to find variations of the same cpyy email addresses that were used to register personal blogs belonging to Ping, some of which were registered in 2007. Content on those sites include posts about patriotism and country that CrowdStrike said is consistent with someone with a military connection.
The same handle is used on an automobile forum where cpyy is communicating with another hacker named Linxder, who has ties to the Comment Crew, in code disguised as car slang, Crowdstrike said. There are also a number of photographs believed to be of cpyy on another blog he registered, and a Picassa site with photos connecting him to the Chinese military, CrowdStrike said, including working out with military personnel, celebrating a birthday in military garb, and a picture of two stacked military hats, PLA officer hats.
“It’s a lot of weird comments that make no sense, but our analysts pieced it together that they were talking about computer security under the subterfuge of automobiles,” said VP of Intelligence Adam Meyers, who clarified that cpyy tried to cover his tracks by changing the email addresses on the domain registrations some time after they were initially registered. “We were able to piece together more of a story based on public reporting and our intelligence. This is a pretty straight line.”
As for the specific attacks, none of the victims were named, but they don’t differ from many other APT attacks that have been reported. The attackers used a variety of exploits, primarily targeting existing vulnerabilities in Adobe Reader and Microsoft Office products with off-the-shelf exploits. Very little custom malware was used in the attacks, CrowdStrike said. In each case, remote access Trojans (RATs) were used to move data off compromised systems; Putter Panda made use of four different RATs. Phishing emails, using lures of yoga lessons or job offers, were used to initiate different stages of attacks, Crowdstrike said.
“It’s difficult to gauge the success of what they did,” Myers said. “But working with customers and supporting them, we can categorize that we’re talking about material loss and that they were fairly successful getting in and getting what they wanted.”
President, CEO and cofounder George Kurtz said China’s primary motivation is economic advancement, and accelerating time to market for knock-off technologies.
“That’s the interesting piece is that there is strong commercial ownership interest by government in Chian, which is not the case here in the U.S.,” Kurtz said. “All of this is part of a systemic information-gathering campaign that is certainly used for intelligence and military advancement, and where possible, the information is shared with companies that could benefit from it.”
Meyers and Kurtz said that CrowdStrike analyzes the intelligence objectives of adversaries to U.S. companies. For example, they pointed to what is believed to be an impending energy crisis in China and how the country might accelerate its goal of becoming energy independent.
“We identify their gaps in technology and capabilities in state-owned enterprises in China and where they need to step up to avoid a crisis,” Meyers said. “Then we can put together a strategic impact of how China will target oil and gas to acquire technology and leapfrog to make changes. We can read the tea leaves and see what they’re after, why they need it, and who they will target.”