A Chinese cyber hacking group called Deep Panda, alleged to have ties with the government of China, was detected to have compromised many national security think tanks, and a recent real-time visibility indicated a radical change in its targets, says a report by Falcon Host security technology of CrowdStrike.
According to CrowdStrike, it has been monitoring the activities of the said hacking group for three years now, which target various infrastructures such as government, defense, telecommunications, financial and legal industries.
Early target of these hackers were senior individuals engaged in geopolitical policy issues in the Asia Pacific or China region, until Falcon’s visibility showed that they swiftly targeted persons believed to have ties to issues in Middle East or Iraq.
CrowdStrike said the recent targeting of such individuals is associated to the latest seizure of major areas of Iraq by Islamic State of Iraq and the Levant (ISIS) and the possible disruption of major oil interests of Chinese in said country.
"In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq’s oil sector. Thus, it wouldn’t be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq," CrowdStrike co-founder and CTO Dmitri Alperovitch wrote in a blog post.
"If you can go after these indirect targets that have some of the information or you can see who they are communicating with you build up a lot of intelligence," Benjamin Johnson, former employee at the National Security Agency and now working at cybersecurity company Bit9, said.
The shift in targets is said to have happened on June 18, the same day the ISIS started its attack on Baiji oil refinery.
The blog post also revealed that it has detected network breaches with hackers deploying powershell scripts as scheduled tasks in Windows technologies. Such scripts are passed onto the powershell interpreter by way of the command line to evade extraneous files being placed on the machine of the victim that could possibly activate "AV- or Indicator of Compromise (IOC)-based detection."
CrowdStrike continued to remind that Deep Panda poses an extremely serious threat not only to think tanks but also to defense contractors, financial institutions, government agencies and law firms. It likewise said that identifying and stopping these Chinese hackers is a challenge if technologies such as Falcon Host aren’t used because the former has "stellar operational security and reliance on anti-forensic and anti-IOC detection techniques."