The 2014 CrowdStrike Threat Intel Report is now available, shedding light on threat adversaries, particularly those that are nation-state backed and attacking organizations around the world.
CrowdStrike gives names to the threat actors it tracks, with different animals referring to different points of origin, such that attackers from China are given a name that includes Panda and those from Russia are Bear-related. One particular attack that CrowdStrike tracked in 2014 was from a threat actor it identified as Hurricane Panda. Dmitri Alperovitch, co-founder and CTO of CrowdStrike, said that the Hurricane Panda group activity helps to underscore the very persistent nature of nation-state adversaries.
“We have been battling Hurricane Panda for a bunch of our customers for much of the year,” Alperovitch told eWEEK.
In one incident that Alperovitch detailed, there was one particular company that was first targeted by Hurricane Panda in the summer of 2013. That company didn’t identify that it had been breached until April 2014, when it engaged CrowdStrike. The Hurricane Panda group had full administrator credentials to the victim’s environment and was roaming around the network at will.
Alperovitch said that a password reset was performed on the company’s network to kick Hurricane Panda out of the network. By June 2014, the network was clean and free from Hurricane Panda. According to Alperovitch, what was interesting was what happened after June 2014.
“The adversary in this case, as is the case in many incidents we see, didn’t simply pack up and go home after being kicked out of the network,” he said. “The attackers decided that they needed to find a way back into the network as they had a mission to accomplish.”
That mission was to steal information so they could achieve their intelligence objectives. Over the course of the next six months, Hurricane Panda attempted to regain access to the customer network on a daily basis.
“We were seeing attempted intrusions every day, and we were seeing changes in tactics,” Alperovitch said.
In the fall of 2014, Hurricane Panda elevated its game plan and in October attempted to exploit the network by way of a Windows kernel zero-day vulnerability. The overall persistence of Hurricane Panda helps to illustrate a key point that Alperovitch says is important to understand.
“Many organizations tend to think of intrusions as discrete events—you get hacked, you clean it up and you declare victory,” he said.
The reality, he said, is that it’s a long haul, where if an organization discovers it’s been exploited by a nation-state threat actor like Hurricane Panda, the chances are that they’re not going to let go.
“It’s like a dog with a bone,” Alperovitch said. “They will keep coming after you until they get what they want, and organizations need to prepare themselves for the long onslaught.”
Nation-state threat actors aren’t just going after government targets either. Case in point is the high-profile attack against Sony Pictures, which the FBI attributed to North Korea. Alperovitch noted that in his experience there have been attacks by nation-state-backed threat groups against commercial enterprises for the last decade.
“Every major company that has valuable intellectual property across all sectors, whether it’s technology, financial or health care, are being impacted by nation-state-backed attacks,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.