09:40 AM
George Kurtz
George Kurtz
Connect Directly
E-Mail vvv

Putter Panda: Tip Of The Iceberg

What CrowdStrike's outing of Putter Panda -- the second hacking group linked to China's spying on US defense and European satellite and aerospace industries -- means for the security industry.

In May 2014, the US Department of Justice charged five Chinese military hackers for economic cyber espionage against US corporations. Those hackers are believed to be officers in Unit 61398 of the Chinese People’s Liberation Army (PLA). In response, the Chinese government stated that the claims were “absurd” and based on “fabricated facts.” China then went even further, stating, “The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets.” 

As I continue to say, what we see in the media is only the tip of the iceberg. While I don’t mind a good round of rhetoric from any nation state, these comments were a little over the top. China, I get you have to deny these sorts of things, but hey, we caught you red-handed on this one. 

Part of our mission at CrowdStrike is to provide government-quality intelligence to the private sector. We continually get asked if attribution is possible in the land of bogus domain names and proxied IP addresses. The answer is yes. While attribution is part art and part science, it is possible with a high degree of confidence to be able to pinpoint the who and why of these attacks. Nathaniel Hartley does a great job of explaining how we actually went about linking Chen Ping to the 3rd General Staff Department 12th Bureau of the PLA.

Why make this report public?
The Putter Panda report on UNIT 61486 has been part of our large library of intelligence reports and indicator feeds available to subscribers of CrowdStrike Intelligence for some time. So the question is, why make this report public now? Quite simply, we see firsthand what is happening in the trenches when we respond to large breaches during our incident response investigations. We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials. Most executives and boards of directors have no idea just what damage is being done to their corporations. We would love to see the US Government add yet another face to the FBI’s most wanted list.

So what?
Of course many will ask, so what? What does this mean for me? Why should I care? There are two main reasons for this sort of activity. One, signals intelligence and the collection of sensitive information on your enemy have been conducted for centuries. It’s only the medium in which the data is collected that has changed. Any information that a government believes could be valuable in providing a military advantage will be collected. Obviously, this goes beyond just China. Don’t hate the player, folks -- hate the game.

Second, it is a way for China to gain intellectual property rapidly and to reduce significantly the time and money involved in bringing new technologies to market. Keep in mind, the Chinese government has an ownership stake in many companies, and if it obtains some key information that can be used for military purposes, it has no problem handing it over to its corporations to jump-start their commercial interest.

Operationalizing intelligence
How do I respond when my boss asks, “Do we have a problem?” In addition to the attribution section, the report contains over 20 pages of technical analysis and indicators that organizations can use to determine if they have active Putter Panda infections inside their networks. The report also contains network and malware signatures in Snort and Yara format. You can use our free CrowdResponse tool and feed the Yara rules directly into it to determine if you truly do have a problem on your network and adjust your response to your boss accordingly. 

Attribution itself is important, not only to governments that want to use law-enforcement or diplomatic powers to put pressure on actors to behave responsibly, but also to provide contextual information about who is attacking your corporation. If you are in the satellite or aerospace industry, you definitely want to spend some time reading this report very closely and learning about the tradecraft and techniques of this adversary.

If these attackers haven’t hit you yet, chances are they will come for you eventually. If you do have them on your network, you also have valuable mitigation and remediation instructions and artifacts that can save you time and money when performing your forensic analysis. This is the power of operationalizing intelligence within your organization: developing capabilities not only to respond reactively to attacks, but also to utilize attribution, combined with technical indicators, to adjust your defense posture and prioritize your response.

Will it make a difference?
Similar to the US indictments, I do think there will be some good that comes out of releasing the report. Do I expect Chen Ping to be in the US courts any time soon? No. However, it does further cast the spotlight on China, and helps encourage the dialog on dealing with this issue. Keep in mind, just a few years back security researchers would whisper about China (and invent new terms like APT to avoid saying the country name publicly), but only recently has the country been publicly outed and taken to task.

It is a bit of a maturation process as we continue to highlight the country's activity and draw attention to what many in the intelligence community have known for years. Hopefully we can continue to drive awareness. If we burn down a bit of its infrastructure in the process, that wouldn’t be such a bad thing. Will the attackers be back? Yes. Like cockroaches when the light goes on, they will scatter, but you can bet they will be back. Hopefully you will be ready for them.

George Kurtz is President, CEO, and co-founder of CrowdStrike, a cutting-edge, big data, security technology company focused on helping enterprises and governments protect their most sensitive intellectual property and national security information. He is an ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/10/2014 | 3:53:32 PM
Re: Good reading
I still believe that it is just the tip of the iceberg. I'm also convinced that attribution is also very hard when we found clear evidence as in the specific case. Working time and techniques adopted by APT could not be enough for attribution of responsibilities, also third parties could use similar techniques to deceive investigators.

In the specific case I have no doubt that behind the cyber espionage campaign, there are Chinese units, in other cases like Elderwood I'm not so confident.


Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/10/2014 | 3:42:02 PM
Re: Good reading
You raise an interesting point, rjones2818. George, What was the tipiping point that made you decide to release the Putter Panda intellegience report and if China is now the worst offender,  do you expect the "collection of sensitive information on your enemy" to continue and broaden?
User Rank: Strategist
6/10/2014 | 10:21:13 AM
Good reading
Thanks for your post.  My main question is will you report when any government is found by you to be hacking?
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.