Attacks/Breaches
6/10/2014
09:40 AM
George Kurtz
George Kurtz
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Putter Panda: Tip Of The Iceberg

What CrowdStrike's outing of Putter Panda -- the second hacking group linked to China's spying on US defense and European satellite and aerospace industries -- means for the security industry.

In May 2014, the US Department of Justice charged five Chinese military hackers for economic cyber espionage against US corporations. Those hackers are believed to be officers in Unit 61398 of the Chinese People’s Liberation Army (PLA). In response, the Chinese government stated that the claims were “absurd” and based on “fabricated facts.” China then went even further, stating, “The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets.” 

As I continue to say, what we see in the media is only the tip of the iceberg. While I don’t mind a good round of rhetoric from any nation state, these comments were a little over the top. China, I get you have to deny these sorts of things, but hey, we caught you red-handed on this one. 

Part of our mission at CrowdStrike is to provide government-quality intelligence to the private sector. We continually get asked if attribution is possible in the land of bogus domain names and proxied IP addresses. The answer is yes. While attribution is part art and part science, it is possible with a high degree of confidence to be able to pinpoint the who and why of these attacks. Nathaniel Hartley does a great job of explaining how we actually went about linking Chen Ping to the 3rd General Staff Department 12th Bureau of the PLA.

Why make this report public?
The Putter Panda report on UNIT 61486 has been part of our large library of intelligence reports and indicator feeds available to subscribers of CrowdStrike Intelligence for some time. So the question is, why make this report public now? Quite simply, we see firsthand what is happening in the trenches when we respond to large breaches during our incident response investigations. We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials. Most executives and boards of directors have no idea just what damage is being done to their corporations. We would love to see the US Government add yet another face to the FBI’s most wanted list.

So what?
Of course many will ask, so what? What does this mean for me? Why should I care? There are two main reasons for this sort of activity. One, signals intelligence and the collection of sensitive information on your enemy have been conducted for centuries. It’s only the medium in which the data is collected that has changed. Any information that a government believes could be valuable in providing a military advantage will be collected. Obviously, this goes beyond just China. Don’t hate the player, folks -- hate the game.

Second, it is a way for China to gain intellectual property rapidly and to reduce significantly the time and money involved in bringing new technologies to market. Keep in mind, the Chinese government has an ownership stake in many companies, and if it obtains some key information that can be used for military purposes, it has no problem handing it over to its corporations to jump-start their commercial interest.

Operationalizing intelligence
How do I respond when my boss asks, “Do we have a problem?” In addition to the attribution section, the report contains over 20 pages of technical analysis and indicators that organizations can use to determine if they have active Putter Panda infections inside their networks. The report also contains network and malware signatures in Snort and Yara format. You can use our free CrowdResponse tool and feed the Yara rules directly into it to determine if you truly do have a problem on your network and adjust your response to your boss accordingly. 

Attribution itself is important, not only to governments that want to use law-enforcement or diplomatic powers to put pressure on actors to behave responsibly, but also to provide contextual information about who is attacking your corporation. If you are in the satellite or aerospace industry, you definitely want to spend some time reading this report very closely and learning about the tradecraft and techniques of this adversary.

If these attackers haven’t hit you yet, chances are they will come for you eventually. If you do have them on your network, you also have valuable mitigation and remediation instructions and artifacts that can save you time and money when performing your forensic analysis. This is the power of operationalizing intelligence within your organization: developing capabilities not only to respond reactively to attacks, but also to utilize attribution, combined with technical indicators, to adjust your defense posture and prioritize your response.

Will it make a difference?
Similar to the US indictments, I do think there will be some good that comes out of releasing the report. Do I expect Chen Ping to be in the US courts any time soon? No. However, it does further cast the spotlight on China, and helps encourage the dialog on dealing with this issue. Keep in mind, just a few years back security researchers would whisper about China (and invent new terms like APT to avoid saying the country name publicly), but only recently has the country been publicly outed and taken to task.

It is a bit of a maturation process as we continue to highlight the country's activity and draw attention to what many in the intelligence community have known for years. Hopefully we can continue to drive awareness. If we burn down a bit of its infrastructure in the process, that wouldn’t be such a bad thing. Will the attackers be back? Yes. Like cockroaches when the light goes on, they will scatter, but you can bet they will be back. Hopefully you will be ready for them.

George Kurtz is President, CEO, and co-founder of CrowdStrike, a cutting-edge, big data, security technology company focused on helping enterprises and governments protect their most sensitive intellectual property and national security information. He is an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/10/2014 | 3:53:32 PM
Re: Good reading
I still believe that it is just the tip of the iceberg. I'm also convinced that attribution is also very hard when we found clear evidence as in the specific case. Working time and techniques adopted by APT could not be enough for attribution of responsibilities, also third parties could use similar techniques to deceive investigators.

In the specific case I have no doubt that behind the cyber espionage campaign, there are Chinese units, in other cases like Elderwood I'm not so confident.

Regards

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/10/2014 | 3:42:02 PM
Re: Good reading
You raise an interesting point, rjones2818. George, What was the tipiping point that made you decide to release the Putter Panda intellegience report and if China is now the worst offender,  do you expect the "collection of sensitive information on your enemy" to continue and broaden?
rjones2818
100%
0%
rjones2818,
User Rank: Moderator
6/10/2014 | 10:21:13 AM
Good reading
Thanks for your post.  My main question is will you report when any government is found by you to be hacking?
More Blogs from Commentary
Infographic: With BYOD, Mobile Is The New Desktop
Security teams have no choice but to embrace the rapid proliferation of BYO devices, apps, and cloud services. To ignore it is to put your head in the sand.
Internet of Things: Security For A World Of Ubiquitous Computing
Endpoint security is hardly dead, and claiming that it is oversimplifies the challenges corporations face now and in the not-very-distant future.
CEO Report Card: Low Grades for Risk Management
Dark Reading's latest community poll shows a stunning lack of confidence in chief execs' commitment to cyber security.
A New Age in Cyber Security: Public Cyberhealth
The cleanup aimed at disrupting GameOver Zeus and CryptoLocker offers an instructive template for managing mass cyber infections.
Passwords & The Future Of Identity: Payment Networks?
The solution to the omnipresent and enduring password problem may be closer than you think.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.