In May 2014, the US Department of Justice charged five Chinese military hackers for economic cyber espionage against US corporations. Those hackers are believed to be officers in Unit 61398 of the Chinese People’s Liberation Army (PLA). In response, the Chinese government stated that the claims were “absurd” and based on “fabricated facts.” China then went even further, stating, “The Chinese government, the Chinese military and their relevant personnel have never engaged or participated in cyber theft of trade secrets.”
As I continue to say, what we see in the media is only the tip of the iceberg. While I don’t mind a good round of rhetoric from any nation state, these comments were a little over the top. China, I get you have to deny these sorts of things, but hey, we caught you red-handed on this one.
Part of our mission at CrowdStrike is to provide government-quality intelligence to the private sector. We continually get asked if attribution is possible in the land of bogus domain names and proxied IP addresses. The answer is yes. While attribution is part art and part science, it is possible with a high degree of confidence to be able to pinpoint the who and why of these attacks. Nathaniel Hartley does a great job of explaining how we actually went about linking Chen Ping to the 3rd General Staff Department 12th Bureau of the PLA.
Why make this report public?
The Putter Panda report on UNIT 61486 has been part of our large library of intelligence reports and indicator feeds available to subscribers of CrowdStrike Intelligence for some time. So the question is, why make this report public now? Quite simply, we see firsthand what is happening in the trenches when we respond to large breaches during our incident response investigations. We see the massive amount of intellectual property that is being sucked out by the truckload, and we are tired of the continual denials. Most executives and boards of directors have no idea just what damage is being done to their corporations. We would love to see the US Government add yet another face to the FBI’s most wanted list.
Of course many will ask, so what? What does this mean for me? Why should I care? There are two main reasons for this sort of activity. One, signals intelligence and the collection of sensitive information on your enemy have been conducted for centuries. It’s only the medium in which the data is collected that has changed. Any information that a government believes could be valuable in providing a military advantage will be collected. Obviously, this goes beyond just China. Don’t hate the player, folks -- hate the game.
Second, it is a way for China to gain intellectual property rapidly and to reduce significantly the time and money involved in bringing new technologies to market. Keep in mind, the Chinese government has an ownership stake in many companies, and if it obtains some key information that can be used for military purposes, it has no problem handing it over to its corporations to jump-start their commercial interest.
How do I respond when my boss asks, “Do we have a problem?” In addition to the attribution section, the report contains over 20 pages of technical analysis and indicators that organizations can use to determine if they have active Putter Panda infections inside their networks. The report also contains network and malware signatures in Snort and Yara format. You can use our free CrowdResponse tool and feed the Yara rules directly into it to determine if you truly do have a problem on your network and adjust your response to your boss accordingly.
Attribution itself is important, not only to governments that want to use law-enforcement or diplomatic powers to put pressure on actors to behave responsibly, but also to provide contextual information about who is attacking your corporation. If you are in the satellite or aerospace industry, you definitely want to spend some time reading this report very closely and learning about the tradecraft and techniques of this adversary.
If these attackers haven’t hit you yet, chances are they will come for you eventually. If you do have them on your network, you also have valuable mitigation and remediation instructions and artifacts that can save you time and money when performing your forensic analysis. This is the power of operationalizing intelligence within your organization: developing capabilities not only to respond reactively to attacks, but also to utilize attribution, combined with technical indicators, to adjust your defense posture and prioritize your response.
Will it make a difference?
Similar to the US indictments, I do think there will be some good that comes out of releasing the report. Do I expect Chen Ping to be in the US courts any time soon? No. However, it does further cast the spotlight on China, and helps encourage the dialog on dealing with this issue. Keep in mind, just a few years back security researchers would whisper about China (and invent new terms like APT to avoid saying the country name publicly), but only recently has the country been publicly outed and taken to task.
It is a bit of a maturation process as we continue to highlight the country's activity and draw attention to what many in the intelligence community have known for years. Hopefully we can continue to drive awareness. If we burn down a bit of its infrastructure in the process, that wouldn’t be such a bad thing. Will the attackers be back? Yes. Like cockroaches when the light goes on, they will scatter, but you can bet they will be back. Hopefully you will be ready for them.