Suspected Origin: China, 2007
Other Names: APT2, PLA 61486, Putter Panda, MSUpdater, G0023
Target Region(s): North America, Europe
Attack Vectors: Spear-phishing, Malware, Social Engineering
Tools observed: MOOSE, WARP
- OSINT — Open Source Intelligence, using publicly available sources to gather sensitive/critical information about someone
- C2 Servers — Command and Control Servers, computers used to control malware remotely
Putter Panda is a threat group suspected to be under the military cover of Unit 61486 of the Chinese People’s Liberation Army (PLA). The origin of the group’s name is from its knack for targeting golf players (putter) and its origin (China).
According to the Council on Foreign Relations, the group is known to target tech, research, defence and government sectors, particularly in satellite and aerospace sectors of the United States.
Their primary focus is on targeting widely used productivity applications like Adobe Reader and Microsoft Office. They carry out their malicious activities by utilizing customized malware, which they distribute through targeted email attacks.
On June 9, 2014, Crowdstrike released a report exposing the operations of the group. The centrepiece of the report was a suspected hacker with the alias ‘cpyy’. Using Open Source Intelligence (OSINT), Crowdstrike were able to link the hacker to many operations carried out by the threat group, along with links to Comment Panda and Vixen Panda, two other threat groups.
The report noted that a domain name used for C2 communication with known malware was registered to an email. The registrant address when checked on Google maps revealed an area of Shanghai which just happens to be where the PLA’s building is located.
Furthermore, a Chinese government website provided information about theatrical performances featuring PLA members, specifically the Unit 61486’s staff and link and address to the same aforementioned email registrar.
During Crowdstrike’s investigation, there was a prominent character: cpyy. cpyy was associated with several email addresses used to register the C2 domains for controlling malware. The registrar’s name was Chen Ping, short for ‘cp’ in ‘cpyy’.
Linking the name to the alias, Crowdstrike found out he was born on 25 May, 1979, and worked for the ‘military/police’. He was known to talk on forums in topics related to networking and programming.
Chen was also known to have discussions with Linxder and xiaobai (two other suspected threat actors) on security and programming.
Chen seemed like just another civilian with an odd fascination for cybersecurity and programming except for one slight problem: his photos. From the blogs, he had a hobby for taking pictures and releasing them on the Internet. He even had a Picasa profile.
Some of these pictures included photos of himself in various locations ranging from work, to his dormitory, and even satellite dishes. Using OSINT, Crowdstrike were able to make links between Chen and the APT2 group.
The public images implied that Chen had links to the military. There were pictures of people in military uniform, military training, and even a birthday party in a dorm with people wearing khaki.
The images of interest in particular were those in “office” and “dormitry” albums. One in particular showed two military hats that seem to be Type 07 PLA Army hats. Another showed the exterior of a building with many large satellite dishes outside indicating it was a military facility. There was also an image of a very large dish, right in front of the Oriental Pearl Tower, a famous landmark in Shanghai where APT2 is suspected to carry out its operations.
- Putter Panda report by Crowdstrike: http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
- Council of cyber operations info: https://www.cfr.org/cyber-operations/putter-panda