Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/10/2014
09:40 AM
George Kurtz
George Kurtz
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Putter Panda: Tip Of The Iceberg

What CrowdStrike's outing of Putter Panda -- the second hacking group linked to China's spying on US defense and European satellite and aerospace industries -- means for the security industry.

In May 2014, the US Department of Justice charged five Chinese military hackers for economic cyber espionage against US corporations. Those hackers are believed to be officers in Unit 61398 of the Chinese People’s Liberation Army (PLA). In response, the Chinese government stated that the claims were “absurd” and based on “fabricated facts.” China then went even further, stating, “The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets.” 

As I continue to say, what we see in the media is only the tip of the iceberg. While I don’t mind a good round of rhetoric from any nation state, these comments were a little over the top. China, I get you have to deny these sorts of things, but hey, we caught you red-handed on this one. 

Part of our mission at CrowdStrike is to provide government-quality intelligence to the private sector. We continually get asked if attribution is possible in the land of bogus domain names and proxied IP addresses. The answer is yes. While attribution is part art and part science, it is possible with a high degree of confidence to be able to pinpoint the who and why of these attacks. Nathaniel Hartley does a great job of explaining how we actually went about linking Chen Ping to the 3rd General Staff Department 12th Bureau of the PLA.

Why make this report public?
The Putter Panda report on UNIT 61486 has been part of our large library of intelligence reports and indicator feeds available to subscribers of CrowdStrike Intelligence for some time. So the question is, why make this report public now? Quite simply, we see firsthand what is happening in the trenches when we respond to large breaches during our incident response investigations. We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials. Most executives and boards of directors have no idea just what damage is being done to their corporations. We would love to see the US Government add yet another face to the FBI’s most wanted list.

So what?
Of course many will ask, so what? What does this mean for me? Why should I care? There are two main reasons for this sort of activity. One, signals intelligence and the collection of sensitive information on your enemy have been conducted for centuries. It’s only the medium in which the data is collected that has changed. Any information that a government believes could be valuable in providing a military advantage will be collected. Obviously, this goes beyond just China. Don’t hate the player, folks -- hate the game.

Second, it is a way for China to gain intellectual property rapidly and to reduce significantly the time and money involved in bringing new technologies to market. Keep in mind, the Chinese government has an ownership stake in many companies, and if it obtains some key information that can be used for military purposes, it has no problem handing it over to its corporations to jump-start their commercial interest.

Operationalizing intelligence
How do I respond when my boss asks, “Do we have a problem?” In addition to the attribution section, the report contains over 20 pages of technical analysis and indicators that organizations can use to determine if they have active Putter Panda infections inside their networks. The report also contains network and malware signatures in Snort and Yara format. You can use our free CrowdResponse tool and feed the Yara rules directly into it to determine if you truly do have a problem on your network and adjust your response to your boss accordingly. 

Attribution itself is important, not only to governments that want to use law-enforcement or diplomatic powers to put pressure on actors to behave responsibly, but also to provide contextual information about who is attacking your corporation. If you are in the satellite or aerospace industry, you definitely want to spend some time reading this report very closely and learning about the tradecraft and techniques of this adversary.

If these attackers haven’t hit you yet, chances are they will come for you eventually. If you do have them on your network, you also have valuable mitigation and remediation instructions and artifacts that can save you time and money when performing your forensic analysis. This is the power of operationalizing intelligence within your organization: developing capabilities not only to respond reactively to attacks, but also to utilize attribution, combined with technical indicators, to adjust your defense posture and prioritize your response.

Will it make a difference?
Similar to the US indictments, I do think there will be some good that comes out of releasing the report. Do I expect Chen Ping to be in the US courts any time soon? No. However, it does further cast the spotlight on China, and helps encourage the dialog on dealing with this issue. Keep in mind, just a few years back security researchers would whisper about China (and invent new terms like APT to avoid saying the country name publicly), but only recently has the country been publicly outed and taken to task.

It is a bit of a maturation process as we continue to highlight the country's activity and draw attention to what many in the intelligence community have known for years. Hopefully we can continue to drive awareness. If we burn down a bit of its infrastructure in the process, that wouldn’t be such a bad thing. Will the attackers be back? Yes. Like cockroaches when the light goes on, they will scatter, but you can bet they will be back. Hopefully you will be ready for them.

George Kurtz is President, CEO, and co-founder of CrowdStrike, a cutting-edge, big data, security technology company focused on helping enterprises and governments protect their most sensitive intellectual property and national security information. He is an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/10/2014 | 3:53:32 PM
Re: Good reading
I still believe that it is just the tip of the iceberg. I'm also convinced that attribution is also very hard when we found clear evidence as in the specific case. Working time and techniques adopted by APT could not be enough for attribution of responsibilities, also third parties could use similar techniques to deceive investigators.

In the specific case I have no doubt that behind the cyber espionage campaign, there are Chinese units, in other cases like Elderwood I'm not so confident.

Regards

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/10/2014 | 3:42:02 PM
Re: Good reading
You raise an interesting point, rjones2818. George, What was the tipiping point that made you decide to release the Putter Panda intellegience report and if China is now the worst offender,  do you expect the "collection of sensitive information on your enemy" to continue and broaden?
rjones2818
100%
0%
rjones2818,
User Rank: Strategist
6/10/2014 | 10:21:13 AM
Good reading
Thanks for your post.  My main question is will you report when any government is found by you to be hacking?
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...
CVE-2020-5242
PUBLISHED: 2020-02-20
openHAB before 2.5.2 allow a remote attacker to use REST calls to install the EXEC binding or EXEC transformation service and execute arbitrary commands on the system with the privileges of the user running openHAB. Starting with version 2.5.2 all commands need to be whitelisted in a local file whic...
CVE-2020-8601
PUBLISHED: 2020-02-20
Trend Micro Vulnerability Protection 2.0 is affected by a vulnerability that could allow an attack to use the product installer to load other DLL files located in the same directory.