More Chinese Military Espionage Links Revealed

CrowdStrike reveals new details about Chinese cyber-espionage in a campaign dubbed "Putter Panda." Is it just more of the same, or is it something new?


In a report published on June 9, security firm CrowdStrike revealed new details about Chinese military cyber-espionage against the United States in a campaign it has dubbed "Putter Panda."

The Putter Panda campaign, referred to by other security firms as MSUpdater, has been ongoing since at least 2012. The CrowdStrike disclosure on the Putter Panda campaign identifies hacking efforts that are likely directly tied to the Chinese People's Liberation Army (PLA) 3rd Department, 12th Bureau, Unit 61486. The efforts of Unit 61486 are likely loosely coupled with those of Unit 61398, members of which were recently indicted by the U.S. Department of Justice. The Justice Department charged five Chinese military officers attached to Unit 61398 with attacking U.S. firms in a bid to extract competitive industrial intelligence information.

George Kurtz, CEO of CrowdStrike, told eWEEK that the response from China to the Unit 61398 indictments was a motivating factor for him to release the report on Putter Panda. The Chinese basically responded that they don't hack American companies, he said.

"We were just a little bit tired of the rhetoric coming back from China that they don't hack," Kurtz said. "We're in the field doing incident response for some of the largest organizations in the world, and we're seeing firsthand what is going on and we wanted to put out a report that is a fair representation of the activity we see that is tied to China."

Concerning the name "Putter Panda," Kurtz explained that his firm identifies all threat actors coming out of China with the moniker "panda." The "Putter" part of the name is derived from malicious documents related to the Chinese hacking campaign that a CrowdStrike analyst was working on, in which the sport of golf was mentioned.

From a Chinese military perspective, it was back in February 2013 that security firm Mandiant first disclosed the activities of Unit 61398. Kurtz explained that Unit 61486, which runs the Putter Panda effort, is related in terms of activities and military hierarchy.

"There are 12 bureaus that are part of the Chinese military general staff department," Kurtz said. "The 12th bureau is focused on signals intelligence and each group in the bureau specializes, but they all share some overlapping infrastructure."

By exposing the efforts of Unit 61486, CrowdStrike might well serve to drive the Chinese Army unit to change some of its locations and tactics. One year after releasing its report on Chinese Army hacking, Mandiant's Kevin Mandia said in March of this year that some of the infrastructure used by Unit 61398 changed after his report was issued.

Kurtz isn't too concerned if Unit 61486 changes some of its infrastructure in response to his Putter Panda report.

"It's like cockroaches when you turn the lights on; they all scatter, but they will be back," Kurtz said. "They will continue to operate, but the report is less about driving them out of business; it's more about turning a spotlight on this issue."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.