For about seven years, Chinese hackers sent employees in Western government and private sectors emails about conferences, job offers and even a yoga studio. But they weren’t offering them jobs or trying to balance their chi, they were breaking into their employer’s websites to steal industry and government information, a new report charges.
The report comes from Crowdstrike, a cyber-security firm founded by former McAfee executives that specializes in "advanced" threats. The firm released a 60-page report detailing the exploits of a group it calls Putter Panda, a task force within Unit 61486 of the Chinese People’s Liberation Army’s 12th Bureau. According to Crowdstrike, Putter Panda focuses its attacks on the aerospace and satellite industries in the U.S. and Europe. Crowdstrike named the group Putter Panda for its gambit of targeting people who go to golf conferences.
The report comes three weeks after the U.S. charged five Chinese hackers for stealing secrets in the steel, nuclear and solar industries. According to the New York Times, Putter Panda would sometimes share information with Byzantine Candor, the Chinese military group whose alleged hackers were indicted in May. The Chinese government accused the U.S. of making the story up and suspended the Sino-U.S. Cyber Working Group in retaliation.
“After the Chinese response, where they basically said this is all fabricated, we said why don’t we unleash something that’s undeniable,” Crowdstrike co-founder Dmitri Alperovitch said.
The Putter Panda hackers both registered their own fake domains and compromised legitimate domains to deliver their malware. They registered domains like bmwauto.org, signalfcc.com and space-today.info. They also hid malware in PDF’s of fake businesses delivered via email to employees. The Toulouse, France, yoga studio PDF started with this (translated from French via Google):
“Welcome to Sahaja Yoga Toulouse. Finally, a universal method to know the universe and the gods, as recommended by Socrates.”
That was targeted at employees in Toulouse, a major aerospace hub in southern France.
Once in a targeted system, the Chinese malware allowed operators a “wide degree of control” and allowed them to install new tools as they saw fit.
Many domains were registered by a man known as cpyy, or “Chen Ping.” Crowdstrike tracked him through various social media and forum websites (even finding out he’s a photography enthusiast) and believes he is directly connected to Putter Panda. It managed to get pictures of a building surrounded by satellite dishes in one of Chen Ping’s albums called “office,” and tracked it to Shanghai.
Cpyy was believed to communicate with hackers via auto enthusiast forums, using code words associated with cars to clue them in on jobs and operations.
Crowdstrike says it tracks 70 espionage groups worldwide and around 35 of them are based in China and may be linked to the Chinese government.