Hunting PUTTER PANDA with Lancope by StealthWatch Labs

Following on the heels of recent U.S. charges against members of the Chinese People’s Liberation Army (PLA) for economic espionage, security researchers are now tracking cyber espionage attacks thought to be stemming from a different unit of the PLA, headquartered in Shanghai and operating under the codename PUTTER PANDA. This group is believed to have hacked into corporations around the world to steal trade secrets, particularly surrounding the satellite industry.

According to this CrowdStrike Intelligence Report, PUTTER PANDA has targeted U.S. Government, Defense, Research and Technology Sectors, as well as U.S. and European satellite and aerospace industries. The group is thought to be connected to the COMMENT PANDA group, which has ties to those previously implicated in the U.S. espionage charges.

PUTTER PANDA exploits focus on popular applications such as Adobe Reader and Microsoft Office. The group uses a wide set of tools, including targeted email attacks, Remote Access Tools (RATs) and custom malware, to obtain control over victims’ systems and gather confidential intelligence.

Operating since at least 2007, PUTTER PANDA has left behind myriad indicators of compromise (IOCs) over the years. The CrowdStrike report divulges these IOCs in an effort to help organizations detect and thwart these attacks within their networks.

As with other prominent attacks, organizations can leverage Lancope’s StealthWatch System to search their networks for IOCs from the PUTTER PANDA attacks without the need for time-consuming, manual analysis. By collecting and analyzing NetFlow, IPFIX and other types of flow data, the StealthWatch System provides a comprehensive audit trail of all network activity that can be stored for months or even years. Security teams can then run automated queries on this data to determine whether they were a victim of a specific attack.

This previous blog post outlines exactly how organizations can search for IOCs using the StealthWatch System. A list of all IP addresses and domain names outlined in the CrowdStrike report as being associated with PUTTER PANDA can be found here.

With the recent, sharp rise in sophisticated attacks, the ability to collect, store, analyze and search large amounts of network data is becoming increasingly critical for developing strong incident response and forensics capabilities. The targets of today’s APTs stretch far and wide – no longer limited to just government entities – so all organizations should currently be working to build up their threat detection processes and toolsets.

The full CrowdStrike report, including a plethora of IOCs and evidence that suggests a tie between PUTTER PANDA and the Chinese PLA can be found here. For further details on hunting sophisticated attackers using network audit trails, join this complimentary Lancope webinar on June 25.