Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/10/2014
09:40 AM
George Kurtz
George Kurtz
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Putter Panda: Tip Of The Iceberg

What CrowdStrike's outing of Putter Panda -- the second hacking group linked to China's spying on US defense and European satellite and aerospace industries -- means for the security industry.

In May 2014, the US Department of Justice charged five Chinese military hackers for economic cyber espionage against US corporations. Those hackers are believed to be officers in Unit 61398 of the Chinese People’s Liberation Army (PLA). In response, the Chinese government stated that the claims were “absurd” and based on “fabricated facts.” China then went even further, stating, “The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets.” 

As I continue to say, what we see in the media is only the tip of the iceberg. While I don’t mind a good round of rhetoric from any nation state, these comments were a little over the top. China, I get you have to deny these sorts of things, but hey, we caught you red-handed on this one. 

Part of our mission at CrowdStrike is to provide government-quality intelligence to the private sector. We continually get asked if attribution is possible in the land of bogus domain names and proxied IP addresses. The answer is yes. While attribution is part art and part science, it is possible with a high degree of confidence to be able to pinpoint the who and why of these attacks. Nathaniel Hartley does a great job of explaining how we actually went about linking Chen Ping to the 3rd General Staff Department 12th Bureau of the PLA.

Why make this report public?
The Putter Panda report on UNIT 61486 has been part of our large library of intelligence reports and indicator feeds available to subscribers of CrowdStrike Intelligence for some time. So the question is, why make this report public now? Quite simply, we see firsthand what is happening in the trenches when we respond to large breaches during our incident response investigations. We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials. Most executives and boards of directors have no idea just what damage is being done to their corporations. We would love to see the US Government add yet another face to the FBI’s most wanted list.

So what?
Of course many will ask, so what? What does this mean for me? Why should I care? There are two main reasons for this sort of activity. One, signals intelligence and the collection of sensitive information on your enemy have been conducted for centuries. It’s only the medium in which the data is collected that has changed. Any information that a government believes could be valuable in providing a military advantage will be collected. Obviously, this goes beyond just China. Don’t hate the player, folks -- hate the game.

Second, it is a way for China to gain intellectual property rapidly and to reduce significantly the time and money involved in bringing new technologies to market. Keep in mind, the Chinese government has an ownership stake in many companies, and if it obtains some key information that can be used for military purposes, it has no problem handing it over to its corporations to jump-start their commercial interest.

Operationalizing intelligence
How do I respond when my boss asks, “Do we have a problem?” In addition to the attribution section, the report contains over 20 pages of technical analysis and indicators that organizations can use to determine if they have active Putter Panda infections inside their networks. The report also contains network and malware signatures in Snort and Yara format. You can use our free CrowdResponse tool and feed the Yara rules directly into it to determine if you truly do have a problem on your network and adjust your response to your boss accordingly. 

Attribution itself is important, not only to governments that want to use law-enforcement or diplomatic powers to put pressure on actors to behave responsibly, but also to provide contextual information about who is attacking your corporation. If you are in the satellite or aerospace industry, you definitely want to spend some time reading this report very closely and learning about the tradecraft and techniques of this adversary.

If these attackers haven’t hit you yet, chances are they will come for you eventually. If you do have them on your network, you also have valuable mitigation and remediation instructions and artifacts that can save you time and money when performing your forensic analysis. This is the power of operationalizing intelligence within your organization: developing capabilities not only to respond reactively to attacks, but also to utilize attribution, combined with technical indicators, to adjust your defense posture and prioritize your response.

Will it make a difference?
Similar to the US indictments, I do think there will be some good that comes out of releasing the report. Do I expect Chen Ping to be in the US courts any time soon? No. However, it does further cast the spotlight on China, and helps encourage the dialog on dealing with this issue. Keep in mind, just a few years back security researchers would whisper about China (and invent new terms like APT to avoid saying the country name publicly), but only recently has the country been publicly outed and taken to task.

It is a bit of a maturation process as we continue to highlight the country's activity and draw attention to what many in the intelligence community have known for years. Hopefully we can continue to drive awareness. If we burn down a bit of its infrastructure in the process, that wouldn’t be such a bad thing. Will the attackers be back? Yes. Like cockroaches when the light goes on, they will scatter, but you can bet they will be back. Hopefully you will be ready for them.

George Kurtz is President, CEO, and co-founder of CrowdStrike, a cutting-edge, big data, security technology company focused on helping enterprises and governments protect their most sensitive intellectual property and national security information. He is an ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/10/2014 | 3:53:32 PM
Re: Good reading
I still believe that it is just the tip of the iceberg. I'm also convinced that attribution is also very hard when we found clear evidence as in the specific case. Working time and techniques adopted by APT could not be enough for attribution of responsibilities, also third parties could use similar techniques to deceive investigators.

In the specific case I have no doubt that behind the cyber espionage campaign, there are Chinese units, in other cases like Elderwood I'm not so confident.

Regards

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/10/2014 | 3:42:02 PM
Re: Good reading
You raise an interesting point, rjones2818. George, What was the tipiping point that made you decide to release the Putter Panda intellegience report and if China is now the worst offender,  do you expect the "collection of sensitive information on your enemy" to continue and broaden?
rjones2818
100%
0%
rjones2818,
User Rank: Strategist
6/10/2014 | 10:21:13 AM
Good reading
Thanks for your post.  My main question is will you report when any government is found by you to be hacking?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15058
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.
CVE-2020-15059
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to bypass authentication via a web-administration request that lacks a password parameter.
CVE-2020-15060
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to conduct persistent XSS attacks by leveraging administrative privileges to set a crafted server name.
CVE-2020-15061
PUBLISHED: 2020-08-07
Lindy 42633 4-Port USB 2.0 Gigabit Network Server 2.078.000 devices allow an attacker on the same network to denial-of-service the device via long input values.
CVE-2020-15062
PUBLISHED: 2020-08-07
DIGITUS DA-70254 4-Port Gigabit Network Hub 2.073.000.E0008 devices allow an attacker on the same network to elevate privileges because the administrative password can be discovered by sniffing unencrypted UDP traffic.