Threat Intelligence, Incident Response, TDR

Report details China-based cyber spying on U.S. aerospace sector


A security firm has detailed the exploits of a China-based cyber espionage group, which has targeted U.S. and European satellite and aerospace industries since at least 2007.

On Monday, CrowdStrike, an Irvine, Calif.-based company that helps organizations identify advanced threats and targeted attacks, released a 62-page report on the group, dubbed “Putter Panda.”

Putter Panda is believed to have carried out its spying on behalf of a division within the Third Department of the Chinese People's Liberation Army (PLA) – Unit 61486, headquartered in Shanghai. The unit supports China's space surveillance network, the report said.

Last month, the U.S. indicted five Chinese nationals, who were officers of another unit under PLA's Third Department, Unit 61398. The men in that unit were accused of conspiring to hack into the computers of six U.S. companies in order to steal trade secrets.

At the time, U.S. Attorney General Eric Holder called the arrests “the first ever charges against known state actors for infiltrating U.S. commercial targets by cyber means.”

In CrowdStrike's new findings, researchers uncovered evidence of the Putter Panda group (or PLA Unit 61486) and Unit 61398 (also called APT1)  sharing resources to spy on U.S. organizations. “APT1” is the name security firm Mandiant bestowed upon PLA Unit 61398 when it released its 2013 report detailing the massive data theft operation.

According to CrowdStrike's report, Putter Panda has focused its intelligence-gathering operations on U.S. entities within the government, defense, research and technology sectors. The group used remote access trojans (RATs), among other tools, which were delivered via spear phishing emails to control target's systems.

To infect victims, attackers targeted users running vulnerable versions of Adobe Reader and Microsoft Office applications. Email attachments were rigged to install custom malware on victims' computers, the CrowdStrike report revealed.

Adam Meyers, CrowdStrike's vice president of intelligence, told in a Tuesday interview that Putter Panda's sights were set on “anything tied to global communications,” as they targeted satellite communications platforms, GPS platforms and sensors that might be used for military purposes.

“The reason we decided to release the report is two-fold really,” Meyers said. “On the heels of the indictment, we wanted to keep the pressure on China. They have been targeting U.S. businesses for years, and this is really just the small tip of a large iceberg.”

Researchers also wanted to provide evidence that could help attribute continued attacks to Chinese military-backed groups, Meyers added.

According to CrowdStrike's report, one alleged attacker, going by the online alias, Cpyy, registered domains that were used to control Putter Panda's custom malware.

“It's a pretty massive effort. When the indictments came out, China said the burden of proof [was on the U.S.],” Meyers said. “When [Cpyy] registered the domain, he put the address of the [Unit 61486] headquarters. It's pretty cut and dry."

CrowdStike believes that Cpyy's real name is Chen Ping, as that was the registrant name for a domain linked to the espionage group.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.