A sophisticated group of hackers has changed both targets and tactics, according to a new report from security firm CrowdStrike.
Crowdstrike has been tracking the group, known as ‘Deep Panda’, for the past few years. In the past, the hackers – which the firm has linked to the Chinese government – focused their energies on government organizations as well as the defense, financial, legal and telecommunications industries and individuals involved in geopolitical policy issues related to China and the Asia Pacific region. However, researchers have recently observed the hackers targeting individuals at think tanks with ties to issues in Iraq and the Middle East.
“This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil interests in that country,” blogged Dmitri Alperovitch, co-founder and CTO of Crowdstrike. “In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq’s oil sector. Thus, it wouldn’t be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq. In fact, the shift in targeting of Iraq policy individuals occurred on June 18, the day that ISIS began its attack on the Baiji oil refinery.”
According to Reuters, China’s Foreign Ministry dismissed the report, with spokesperson Hong Lei stating during a daily news briefing in Beijing that some U.S. companies hype the idea of Chinese involvement in cyber-attacks and produce evidence that is “fundamentally untrustworthy.”
According to Crowdstrike however, the Deep Panda group did not stop with just a change of targets – they also began using powershell scripts deployed as scheduled tasks on Windows machines to breach networks. The scripts, Alperovitch explained, are passed to the powershell interpreter through the command line to avoid unnecessary files being placed on the victimized machine that could potentially trigger antivirus or other security. The scripts were scheduled to call back every two hours to the Deep Panda command and control infrastructure.
“Once executed, it downloads and executes from memory a .NET executable (typically named Wafer), which in turn typically downloads and runs MadHatter .NET Remote Access Tool (RAT), one of the favorites of Deep Panda,” he noted. “By running them from memory, it leaves no disk artifacts or host-based IOCs that can be identified in forensic analysis. This is typical for Deep Panda — stealth is their specialty and they prefer to operate in a way that leaves a minimal footprint on a victim system and often allows them to evade detection for a very long time.”
It is the same reason the attackers like to use webshells to keep low-footprint access to the targeted network, he blogged.
“This case was no exception, and that initial webshell implant allowed them to execute reconnaissance commands such as “tasklist,” “net view,” and “net localgroup administrators,” and then afterward to deploy the powershell scripts,” he noted. “The adversary used stolen credentials to mount network shares via “net use” command.”
After using compromised credentials to mount file shares, the attackers compressed data using 7-zip. For lateral movement, the attackers used WMI to deploy powershell scripts remotely and setup scheduled tasks on the remote systems.
“They knew exactly which users to target based on their research policy area, and they rapidly pivoted from China/Asia Pacific policy experts to Iraq/Middle East policy experts once their tasking collection requirements changed,” Alperovitch added.