A new Shanghai-based hacker unit with ties to the People's Liberation Army (PLA) in China has been identified, according to a report from security company CrowdStrike. The New York Times writes that the group is codenamed "Putter Panda" due to its penchant for preying upon golf-playing conference attendees. The organization is believed to have been operational since at least 2007, targeting American, European, and Japanese companies involved with the satellite, aerospace, and communication industries. CrowdStrike also writes that Putter Panda has been conducting intelligence-gathering operations on government sectors in the US. The hackers used innocuous-seeming emails containing job postings, PDF invitations to conferences, and even a yoga studio brochure to lure victims into downloading custom malware.
"the tip of a very large iceberg."
Putter Panda is also known as Unit 61486, the 12th Bureau of the PLA's 3rd General Staff Department, making it the second Chinese Army group linked with cyber espionage. Just last month, the US announced criminal charges against five military officers from Unit 61398.
CrowdStrike believes that this is just a small part of the picture, calling the criminal indictment "the tip of a very large iceberg."
Those reading the indictment should not conclude that the People’s Republic of China (PRC) hacking campaign is limited to five soldiers in one military unit, or that they solely target the United States government and corporations. Rather, China’s decade-long economic espionage campaign is massive and unrelenting. Through widespread espionage campaigns, Chinese threat actors are targeting companies and governments in every part of the globe.
The security firm writes that there is evidence indicating that Putter Panda may have either cooperated or shared resources with the Unit 61398. The report also links to a 35-year old male named "Chen Ping" whose handle, "cpyy," was used to register several domains connected with Putter Panda's cyberattacks. Their investigations unearthed photo albums hinting at military connections, forum discussions indicating a possible interest in network security, and cpyy's interactions with at least one suspected member of Unit 61398. "We’ve got the gun, the bullet and the body," says CrowdStrike's Adam Meyers, whose company believes its report proves the connection between Unit 61486 and the attacks experienced by its clients.
"We’ve got the gun, the bullet and the body."
CrowdStrike's publication may cause tensions between the US and China to escalate even further. In January 2013, The New York Times said a four-month-long hack was possibly tied to the Chinese military. The story was followed by similar reports from The Wall Street Journal and The Washington Post. The Chinese government would later deny the accusations, before claiming that the US was responsible for nearly two-thirds of the 144,000 security breaches experienced by the Defense Ministry each month in 2012. The situation has worsened since then, with both countries slinging allegations and a recent report suggesting that US companies should be allowed to retaliate against hackers.