Chinese hackers target US national security think tanks

Chinese hackers target US national security think tanks

Summary: China's Deep Panda group has switched its focus from US tech firms and southeast Asia to snoop on national security policy research organizations and non-profit think tanks related to Iraq and the Middle East.

Screen Shot 2014-07-08 at 08.38.53

The Chinese cyberattack group Deep Panda has compromised national security think tanks using sophisticated techniques designed to steal confidential data concerning US foreign policy, according to security researchers at CrowdStrike.

The CrowdStrike team say that "several" national security-based think tanks have been compromised in the defense, finance, legal and government arenas by the group, which the security researchers call "one of the most advanced Chinese nation-state cyber intrusion groups." Cyberattacks have been launched by the hackers for almost three years now, but it is only in recent times that Deep Panda's focus has changed.

CrowdStrike says that attacks are now taking place against think tanks related to security and governmental policy within Iraq and the Middle East, a shift from collecting data on southeast Asia. While the security researchers declined to name the specific think tanks or data that was stolen, the team did say that email accounts, directories and files were compromised.

The team say:

"This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil interests in that country. In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq’s oil sector. Thus, it wouldn’t be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq.

In fact, the shift in targeting of Iraq policy individuals occurred on June 18, the day that ISIS began its attack on the Baiji oil refinery."

Deep Panda's cyberattacks (.PDF) consist of exploiting vulnerabilities in Windows operating systems which allows the group to deploy powershell scripts as scheduled tasks. The scripts are then passed to the powershell interpreter through the command line -- which avoid the placement of extraneous files on a victim's machine -- in order to bypass detection. The scripts were scheduled to call back every two hours to Deep Panda's Command and Control (C&C) center.

Once executed, a .NET executable is run from memory, which in turn then downloads and runs MadHatter .NET Remote Access Tool (RAT), a favored tool of Deep Panda. Webshell implants are also used to ensure low-footprint persistent access to the victim network, keeping the infiltration as secret as possible while the C&C deployed commands such as “tasklist,” “net view,” and “net localgroup administrators,” steals credentials and accesses network data.

CrowdStrike was able to detect the cyberattacks through its Falcon Host software, a security agent which combines endpoint and threat data. This software is offered on a pro-bono basis to think tanks and non-profits, organizations that are unlikely to have enough funding to protect themselves otherwise.

"Deep Panda presents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defense contractors, and government agencies," the security researchers say. "Due to their stellar operational security and reliance on anti-forensic and anti-IOC detection techniques, detecting and stopping them is very challenging without the use of next-generation endpoint technology like Falcon Host."

In June, Crowdstrike said that Putter Panda, a cyber espionage group connected to the country's military has been targeting US and European government partners in order to steal corporate trade secrets relating to the satellite, aerospace and communication industries.

Topics: Security, Government US, China

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Got any Panda coins?

    Your pandacoin faucet prototype.

    What ARE the odds -


  • China ?

    YOU SURE that's China ?

    Ad above says protect our forest friends.

    I wonder what Chase or Bank of America is doing to protect our forest friends.

    Something tells me Dimon just didn't click on the link.

    Panda is an endangered species.

    Support the Wolong and Fuzhou reserves in China

    don't buy into this nationalistic spy garbage - it's just made up.

    Think of UNIQUE LIFE FORMS on this planet - that are soon to be extinct.

    Then ask - what your silly concerns about US think tanks installing hazardous software - really amounts to in comparison.

    Don't make me laugh

    and don't make me cry.

    P P P N N N D D D


    Morons - your bus is leaving - I think territorial nationalism has done ENOUGH damage to the species.

    Threat to the species FAR outweighs threat to a NATION STATE.



    P P P N N N D D D

    • No ore alcohol for you.

      Time to go sleep it off.
      Hallowed are the Ori
      • No *MORE* alcohol for you.

        Damn ZDNet's pathetic 1990's software with no ability to let people edit their posts.
        Hallowed are the Ori
        • ZDNet's 90's Software

          It also has 90's style effectiveness against spam in the blog posts.
    • ???

      I think it's more than alcohol.
      • It looks like an attempt to change the subject

        The allegation being that it's morally wrong to report on apparent Chinese espionage because there are so many other much more important things to report on (there are a number of variations, like "it's wrong to criticize Good Guy Party politicians for anything given all of the crimes routinely committed by Bad Guy Party politicians".

        I suppose it's better than accusing the reporter of "interfering in China's internal affairs".
        John L. Ries
  • "Think tanks" are wrongly named

    RE: "...Deep Panda presents a very serious threat not just to think tanks..." - If indeed they were capable of any real thought, these "tanks", who supposedly understand security, would realize that they have done the bad deed to themselves by making their files (especially "sensitive ones") accessible ONLINE. They shouldn't be surprised at attempts by non-authorized "agents" to access them.
    Yet another example where making choices in favor of CONVENIENCE (WHY do the files need to be remotely accessible, from insecure locations???) as opposed to safety, thus significantly escalating risks to the entire nation they are supposed to be serving. In some ways they seem to be more errant than politicians.
    • The data in question might or might not be classified

      It's not even a given that the institutions in question are doing their research at the behest of the US government.
      John L. Ries