Threat intelligence firm CrowdStrike has turned the heat up on Beijing with a new report claiming to uncover a second Shanghai-based PLA hacking group targeting US and European organizations over a several year period.
Codenamed “Putter Panda” because many of the phishing emails it sent were targeted at golf-playing victims, the group is actually Unit 61486 – the 12th Bureau of the PLA’s 3rd General Staff Department (GSD), according to the report.
The activities of the group, which CrowdStrike CEO George Kurtz said his firm had been tracking since 2012, date back as far as 2007.
“This particular unit is believed to hack into victim companies throughout the world in order to steal corporate trade secrets, primarily relating to the satellite, aerospace and communication industries,” he wrote in the report introduction.
“With revenues totaling $189.2 billion in 2013, the satellite industry is a prime target for espionage campaigns that result in the theft of high-stakes intellectual property.”
The group, also known by the name 'MSUpdater', deploys custom malware focused on exploiting popular productivity apps including Adobe Reader and the Microsoft Office family.
In terms of attribution, CrowdStrike focused on a particular operative who used the handle “cppy” in emails he used to register several C&C domains. Researchers traced these emails back to a “Chen Ping”, whose blog indicated he works for the “military/police”.
Crucially, the blog also featured several photos of his dorm and office, in which can clearly be seen PLA officer hats, according to a blog post by senior security researcher, Nathaniel Hartley.
Additional shots taken of the grounds surrounding his dorm show Shanghai landmark the Oriental Pearl Tower, as well as several large satellite dishes which CrowdStrike used to identify its location – smack bang in the headquarters of the 12th Bureau, 3rd Department of the GSD.
There is also evidence to suggest the Putter Panda group shared some infrastructure, including several C&C domains, with infamous PLA Unit 61398 (Comment Group) – the subject of a Mandiant report in 2013 which provided the first concrete link between the Chinese state and hacking activity.
“While there are no ‘smoking keyboards’ in the unclassified intelligence CrowdStrike has collected on Putter Panda, the balance of evidence available points to an extensive operation conducted by a PLA unit with a nexus to spaced based communication systems,” Hartley concluded.
“The alleged location and imagery associated with Chen Ping further corroborates the likelihood that this actor is affiliated with the PLA 12th Bureau of the 3rd Department of the GSD.”
The report comes just a few weeks after Washington took the unprecedented step of indicting five PLA officers for hacking US firms for economic gain. CrowdStrike said it was unveiling the research in order to “keep the pressure on” after China branded those allegations “ungrounded and absurd”.
“Targeted economic espionage campaigns compromise technological advantage, diminish global competition, and ultimately have no geographic borders,” CrowdStrike added. “We believe the US Government indictments and global acknowledgment and awareness are important steps in the right direction.”