Crowdstrike Talks Putter Panda Targeting Satellite Companies
Great paper by Crowdstrike, a decentralized group of malware researchers who published a great paper outing a Chinese military effort to steal intelligence from Satellite makers.
From ZDNet here:
US security technology group Crowdstrike has identified another cyber espionage group with links to the Chinese military, which has been systematically attacking US and European government partners in the space and satellite industry, according to the company.
According to Crowdstrike, the espionage entity, dubbed Putter Panda, has several connections to Comment Panda, the group previously attributed to the the Chinese army’s secretive Unit 61398 — of which the five men indicted by the US government for alleged hacking activities last month belonged.
A 63-page report published by Crowdstrike revealed that Putter Panda operates out of Shanghai, with connections to the People’s Liberation Army (PLA) Third General Staff Department, 12th Bureau Military Unit Cover Designator 61486.
The PLA’s Third General Staff Department is generally acknowledged to be China’s premier signals intelligence collection and analysis agency, according to Crowdstrike, while the 12th Bureau Unit 61486 supports China’s space surveillance network.
According to the report, this particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets, primarily relating to the satellite, aerospace and communication industries.
Crowdstrike said it had been tracking the activity of the cyber espionage group since 2012, under the codename Putter Panda, and has documented activity of the group back to 2007.
The report identifies 35-year-old Chen Ping, aka cpyy, as an individual responsible for the domain registration for the Command and Control of Putter Panda malware, along with the primary location of Unit 61486 in Shanghai.
It was good analysis by the Crowdstrike team, but they highlighted some mistakes made by this adversary- the use of a real military address for domain registration, and a really obvious faked user-agent name in the botnet beaconing patterns. Had those two mistakes been avoided by this hacker crew, this may have gone unnoticed for much longer. And because this threat went for so long without being outed, it is pretty safe to assume that any satellite maker’s secrets are now in the hands of the Red Chinese.
