CrowdStrike reveals intelligence-gathering activities of the group

Jun 10, 2014 11:47 GMT  ·  By

Another cyber-espionage group, believed to be associated with the Chinese military, has been identified by the US-based CrowdStrike security firm.

Code-named Putter Panda, the group is believed to act on behalf of the People’s Liberation Army (PLA) Third General Staff Department 12th Bureau Unit 61486, which has its headquarters in Shanghai and supports China’s space surveillance network.

The activities of the group include targeted attacks against the US defense and European satellite/aerospace industries, conducted through exploits for popular applications like Adobe Reader and Microsoft Office, the payload generally being delivered through email messages.

It appears that Putter Panda has been involved in cyber-espionage operations since at least 2007, although the security firm began tracking them in 2012. Previous occurrences of the Chinese group have been documented and referred to as MSUpdater.

CrowdStrike labeled them as a “determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of space, aerospace, and communications.”

According to the 62-page report, 35-year-old Chen Ping (a.k.a. cpyy) has been identified as one of the team members, who is the registrant for several domains used for command and control of Putter Panda malware.

It is not clear whether Chen Ping is the real name, but CrowdStrike findings suggest so because deeper investigation revealed multiple email addresses associated with the “cpyy” handle.

Furthermore, a personal blog for “cpyy” was found, sharing information tying him to a military and police job and to interests in the topics of networking and programming.

CrowdStrike also relays information about Putter Panda being connected to Comment Panda, a group also involved in cyber-espionage activities against US corporations.

Five Chinese men were indicted last month by a grand jury in the Western District of Pennsylvania (WDPA) “for computer hacking and economic espionage” targeting victims in nuclear power, metals and solar products industries.

The report on the Putter Panda group contains detailed information about Chen Ping, based on various pieces of evidence gathered from online image repositories, as well as social network websites and forums.

The document also contains the highlights of technical analysis previously performed by CrowdStrike on some Remote Access Tools (RATs) - 4H RAT and 3PARA RAT - employed by Putter Panda to carry out their mission.

Also available is an examination of two malware droppers used for installing RATs on the target computer, tools that are associated with the activities of the group. One of them uses RC4 algorithm to decrypt the payload while the other deletes itself after the dropped executable is installed.