Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Hackers Targeting Middle East Policy Experts: CrowdStrike

A sophisticated group of hackers has changed both targets and tactics, according to a new report from security firm CrowdStrike.

A sophisticated group of hackers has changed both targets and tactics, according to a new report from security firm CrowdStrike.

Crowdstrike has been tracking the group, known as ‘Deep Panda’, for the past few years. In the past, the hackers – which the firm has linked to the Chinese government – focused their energies on government organizations as well as the defense, financial, legal and telecommunications industries and individuals involved in geopolitical policy issues related to China and the Asia Pacific region. However, researchers have recently observed the hackers targeting individuals at think tanks with ties to issues in Iraq and the Middle East.

“This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil interests in that country,” blogged Dmitri Alperovitch, co-founder and CTO of Crowdstrike. “In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq’s oil sector. Thus, it wouldn’t be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq. In fact, the shift in targeting of Iraq policy individuals occurred on June 18, the day that ISIS began its attack on the Baiji oil refinery.”

According to Reuters, China’s Foreign Ministry dismissed the report, with spokesperson Hong Lei stating during a daily news briefing in Beijing that some U.S. companies hype the idea of Chinese involvement in cyber-attacks and produce evidence that is “fundamentally untrustworthy.”

According to Crowdstrike however, the Deep Panda group did not stop with just a change of targets – they also began using powershell scripts deployed as scheduled tasks on Windows machines to breach networks. The scripts, Alperovitch explained, are passed to the powershell interpreter through the command line to avoid unnecessary files being placed on the victimized machine that could potentially trigger antivirus or other security. The scripts were scheduled to call back every two hours to the Deep Panda command and control infrastructure.

“Once executed, it downloads and executes from memory a .NET executable (typically named Wafer), which in turn typically downloads and runs MadHatter .NET Remote Access Tool (RAT), one of the favorites of Deep Panda,” he noted. “By running them from memory, it leaves no disk artifacts or host-based IOCs that can be identified in forensic analysis. This is typical for Deep Panda — stealth is their specialty and they prefer to operate in a way that leaves a minimal footprint on a victim system and often allows them to evade detection for a very long time.”

It is the same reason the attackers like to use webshells to keep low-footprint access to the targeted network, he blogged.

“This case was no exception, and that initial webshell implant allowed them to execute reconnaissance commands such as “tasklist,” “net view,” and “net localgroup administrators,” and then afterward to deploy the powershell scripts,” he noted. “The adversary used stolen credentials to mount network shares via “net use” command.”

Advertisement. Scroll to continue reading.

After using compromised credentials to mount file shares, the attackers compressed data using 7-zip. For lateral movement, the attackers used WMI to deploy powershell scripts remotely and setup scheduled tasks on the remote systems.

“They knew exactly which users to target based on their research policy area, and they rapidly pivoted from China/Asia Pacific policy experts to Iraq/Middle East policy experts once their tasking collection requirements changed,” Alperovitch added. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...