Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Hackers Targeting Middle East Policy Experts: CrowdStrike

A sophisticated group of hackers has changed both targets and tactics, according to a new report from security firm CrowdStrike.

A sophisticated group of hackers has changed both targets and tactics, according to a new report from security firm CrowdStrike.

Crowdstrike has been tracking the group, known as ‘Deep Panda’, for the past few years. In the past, the hackers – which the firm has linked to the Chinese government – focused their energies on government organizations as well as the defense, financial, legal and telecommunications industries and individuals involved in geopolitical policy issues related to China and the Asia Pacific region. However, researchers have recently observed the hackers targeting individuals at think tanks with ties to issues in Iraq and the Middle East.

“This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil interests in that country,” blogged Dmitri Alperovitch, co-founder and CTO of Crowdstrike. “In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq’s oil sector. Thus, it wouldn’t be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq. In fact, the shift in targeting of Iraq policy individuals occurred on June 18, the day that ISIS began its attack on the Baiji oil refinery.”

According to Reuters, China’s Foreign Ministry dismissed the report, with spokesperson Hong Lei stating during a daily news briefing in Beijing that some U.S. companies hype the idea of Chinese involvement in cyber-attacks and produce evidence that is “fundamentally untrustworthy.”

According to Crowdstrike however, the Deep Panda group did not stop with just a change of targets – they also began using powershell scripts deployed as scheduled tasks on Windows machines to breach networks. The scripts, Alperovitch explained, are passed to the powershell interpreter through the command line to avoid unnecessary files being placed on the victimized machine that could potentially trigger antivirus or other security. The scripts were scheduled to call back every two hours to the Deep Panda command and control infrastructure.

“Once executed, it downloads and executes from memory a .NET executable (typically named Wafer), which in turn typically downloads and runs MadHatter .NET Remote Access Tool (RAT), one of the favorites of Deep Panda,” he noted. “By running them from memory, it leaves no disk artifacts or host-based IOCs that can be identified in forensic analysis. This is typical for Deep Panda — stealth is their specialty and they prefer to operate in a way that leaves a minimal footprint on a victim system and often allows them to evade detection for a very long time.”

It is the same reason the attackers like to use webshells to keep low-footprint access to the targeted network, he blogged.

“This case was no exception, and that initial webshell implant allowed them to execute reconnaissance commands such as “tasklist,” “net view,” and “net localgroup administrators,” and then afterward to deploy the powershell scripts,” he noted. “The adversary used stolen credentials to mount network shares via “net use” command.”

After using compromised credentials to mount file shares, the attackers compressed data using 7-zip. For lateral movement, the attackers used WMI to deploy powershell scripts remotely and setup scheduled tasks on the remote systems.

“They knew exactly which users to target based on their research policy area, and they rapidly pivoted from China/Asia Pacific policy experts to Iraq/Middle East policy experts once their tasking collection requirements changed,” Alperovitch added. 

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cyberwarfare

Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...