The attacks are quite sophisticated and the cell that calls itself “Deep Panda” is according to the CrowdStrike team “one of the most advanced Chinese nation-state cyber intrusion groups.” But the focus of the group has recently switched due to recent events in Syria and Iraq.
Deep Panda’s attacks shifted after the emergence of ISIS
While no word was given as to which think tanks specifically were compromised, the group says that data was stolen from email accounts, directories, and files. Deep Panda stepped onto the scene about three years ago actively attacking groups who develop U.S. policy in Southeast Asia.
“This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil interests in that country. In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq’s oil sector. Thus, it wouldn’t be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq,” according to the CrowdStrike team.
CrowdStrike also pointed out that the attacks on Iraq involved think tanks began on June 18, the same day that ISIS began its assault on the Baiji oil refinery something of great interest to China and their energy concerns considering they have near no oil of their own unlike the United States.
Falcon Host employed to detect Deep Panda’s attacks
To detect the attacks on the Windows operating systems used by these think tanks, CrowdStrike employed a proprietary software suite it calls Falcon Host. The company provides this software free of charge to non-profits and think tanks that might otherwise not be able to afford it.
“Deep Panda presents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defense contractors, and government agencies,” the security researchers say. “Due to their stellar operational security and reliance on anti-forensic and anti-IOC detection techniques, detecting and stopping them is very challenging without the use of next-generation endpoint technology like Falcon Host.”