Putter Panda APT behind for cyber espionage campaigns, are they members of PLA Unit 61486?

CrowdStrike published a new report which blames the Chinese Putter Panda group for the different cyber espionage campaigns conducted against foreign companies.

Putter Panda is the name of bad actor responsible for a series of cyber espionage operations originating in Shanghai, security experts linked its operation to the activity of the People’s Liberation Army 3rd General Staff Department 12th Bureau Unit 61486.

A fake yoga brochure was one of different emails used for a spear phishing campaign conducted by the stealth Chinese cyber unit according an investigation conducted by researchers at the CrowdStrike security firm. Also in this case the experts believe that we are facing with a large scale cyber espionage campaign targeting government entities, contractors and research companies in Europe,  USA and Japan.

The group has been operating since at least 2007 and appears very interested in research companies in the space and satellite industry, experts at CrowdStrike have collected evidence of a numerous attacks against these industries.

CrowdStrike published a new report which blames China for the different  campaigns conducted to steal trade and military secrets and intellectual property from foreign companies.

The hacking teams uncovered by CrowdStrike’s forensic experts adopted an efficient strategy to hide their origins by using compromised foreign websites to launch their cyber offensives.

The security experts noticed that tools using in various cyber espionage campaigns were developed during working hours in Chinese time zones as explained in the report:

“a build time analysis of all known samples is shown in Figure 1 below, relative to China time. Although this shows that there is some bias in the build time distribution to daylight or working hours in China, which is more significant if a possible three-shift system of hours is considered (0900-1200, 1400-1700, and 2000-2300), this evidence is not conclusive. there is also some evidence that build times are manipulated by the adversary; for example, the sample with Md5 hash bc4e9dad71b844dd3233cfbbb96c1bd3 has a build time of 18 July 2013, but was supposedly first submitted to Virustotal on 9 January 2013. this shows that the attackers – at least in 2013 – were aware of some operational security considerations and were likely taking deliberate steps to hide their origins. “

The reports attributes to the Putter Panda team cyber attacks against dozens of public and private sector organizations to a group of Chinese state-sponsored hackers, called Putter Panda because they often targeted golf-playing conference attendees.

The hackers focus their exploits against popular applications, including Adobe reader and Microsoft Office to serve custom malware through spear phishing attacks.

“there are several pieces of evidence to indicate that the activity tracked by Crowdstrike as PUttEr Panda is attributable to a set of actors based in China, operating on behalf of the Chinese People’s liberation army (Pla). specifically, an actor known as cpyy (Chen Ping) appears to have been involved in a number of historical PUttEr Panda campaigns, during which time he was likely working in shanghai within the 12th Bureau, 3rd General staff department (Gsd).” states the report.

According to the revelation of official at NSA, more that 20 cyber units belonging to the People’s Liberation Army are involved in cyber espionage campaigns on foreign high tech companies and research group.

China and US are exchanging reciprocal accusations for cyber espionage, a couple of weeks ago The Justice Department issued an indictment, which named five PLA members as responsible of espionage against US companies included Alcoa, Westinghouse Electric and the United States Steel Corporation. In response, the Chinese government denied the charges and announced retaliatory measures against US companies in trade with Chinese businesses.

The hackers anyway made some curious errors, for example, they registered websites used for the attacks with the same email address they used to register social media accounts.

“domains registered by Chen Ping were used to control PUttEr Panda malware. These domains were registered to an address corresponding to the physical location of the Shanghai headquarters of 12th Bureau, specifically Unit 61486. The report illuminates a wide set of tools in use by the actors, including several remote access tools (rats). The rats are used by the PUttEr Panda actors to conduct intelligence-gathering operations with a significant focus on the space technology sector.”

The PUttEr Panda used several several malicious code, mainly RATs, for their operations, the most common of these are the 4H rat and the 3Para rat that have been already documented in the past by Crowdstrike in previous Crowdstrike Intelligence reports.

What to aspect for the future?

As explained by the experts at Crowdstrike, PUttEr Panda is likely to continue to target Western entities searching for highly valuable information and intellectual property.

Enjoy the report!

Pierluigi Paganini

(Security Affairs –  Cyber espionage,Putter Panda)