A sophisticated Chinese hacker group that had been stealing information from U.S. policy experts on nearby Southeast Asia suddenly changed targets last month to focus on the Middle East – Iraq, in particular – security researchers CrowdStrike said Monday.
The group, called ‘Deep Panda’ switched from exploiting one area of expertise to another because of the march of the Islamic State of Iraq and the Levant (ISIS) towards Baghdad, and the collapse of Iraq’s security forces in the north and west of the country.
“The networks [of the think tanks] had been previously compromised, but Deep Panda pivoted to target systems and individuals with ties to the Middle East and Iraq,” said Dmitri Alperovitch, co-founder and CTO, CrowdStrike, of the overnight switch. The shift in Deep Panda’s targeting happened on 18th June, the day that ISIS began to attack the strategically important oil refinery at Baiji, 155 miles north of Baghdad.
China is the largest foreign investor in Iraqi oil fields, and draws about 10% of its oil imports from the country. Most of China’s oil investments, however, are in southern Iraq.
The ISIS’ quick gains and China’s large stake in Iraq were behind the targeting changes, Alperovitch said. Deep Panda’s switch made clear that China’s government wanted to know what policy makers here thought was happening in Iraq and what military moves the U.S. might make to stabilise the situation.
President Barack Obama ended up sending several hundred military advisors to Iraq last month.
CrowdStrike, which has tracked Deep Panda for three years, believes the group either works for or is actually funded by the Chinese government. “It’s an intelligence operation, with a very far and wide collection mission to keep policy makers in China informed,” said Adam Meyers, vice president of intelligence at CrowdStrike.
“This shows how much control [the Chinese government] has over this group,” added Alperovitch, of the sudden targeting shift.
“It was representative of a new priority” of Deep Panda’s controllers or sponsors, echoed Meyers.
Deep Panda has successfully infiltrated technology companies, legal firms, policy think tanks and human rights organisations in part because of its advanced tradecraft, said Meyers. Once inside a network, the gang often uses Windows’ native tools for as much of its work as possible, part of an attempt to keep a low profile and escape detection by security software.
“It’s one of the best groups out of China in tradecraft,” said Alperovitch, “because it’s not using techniques that can be easily viewed.” CrowdStrike currently tracks about 30 hacker groups based in China.
Deep Panda often mines the contacts of policy experts, including those still in government, to craft more convincing emails aimed at those latter officials, in the hope that a click will compromise their PCs, said CrowdStrike.
The company was able to sniff out Deep Panda’s targeting switch because it has provided dozens of think tanks and human rights organisations with its Falcon Host technology free of charge. Falcon Host, said Alperovitch and Meyers, gives network administrators a virtual over-the-shoulder view of hackers’ moves in real time, and provides the kind of forensics information that typically takes weeks or months of painstaking research to collect.
Alperovitch declined to name the think tanks that had been targeted by Deep Panda when it shifted its aim at experts in the Middle East and Iraq.