Hackers Tied to China Seen Attacking U.S.-European Industry

A second hacking group linked to China’s People’s Liberation Army may have targeted U.S. defense and European satellite and aerospace industries since 2007, according to network security company CrowdStrike Inc.

The group, known as Putter Panda, “is believed to hack into victim companies throughout the world in order to steal corporate trade secrets, primarily relating to the satellite, aerospace and communication industries,” according to an undated report from the company released yesterday.

The hacking unit is likely part of the 12th Bureau of the PLA’s 3rd General Staff Department based in Shanghai, CrowdStrike said, identifying Chen Ping, also known as cpyy, as responsible for registering the command and control needed to run the malware used in the attacks. The U.S. Department of Justice last month charged five Chinese military officials from another PLA unit with stealing U.S. trade secrets. It declined to comment on CrowdStrike’s report.

“When you look at the patent denials that came back from the Chinese government that they don’t engage in theft of trade secrets, it’s just false,” George Kurtz, CrowdStrike’s co-founder and chief executive officer, said in a phone interview. “It’s not just limited to this group. It’s a much broader problem.”

Playing Victim

China dismissed the new allegations and accused the U.S. of routinely engaging in cyber espionage.

“America should stop playing victim because America is the No. 1 hacking empire in the world,” Foreign Ministry spokeswoman Hua Chunying told journalists today in Beijing. “Instead of reflecting on its own mistakes, the American side has intensified its behavior. I don’t think this is very constructive.”

The U.S. indictment against officials from Unit 61398 led China to suspend its involvement in a cybersecurity working group and drew formal protests from the ministries of defense and foreign affairs. China has also threatened retaliation.

China’s Defense Ministry spokesman Geng Yansheng said in response to the indictment that the Chinese government, military and relevant personnel have never engaged or participated in cyber theft of trade secrets. The U.S. should explain its cyber-theft and surveillance activities against China, Geng said May 20.

Tracking for Years

The CrowdStrike report isn’t likely to produce as aggressive a reaction from Chinese authorities as the indictment, Zhan Jiang, a professor of journalism at Beijing Foreign Studies University, said today.

“It’s not like last time when the U.S. Justice Department took legal action against the Chinese military officers, and Beijing felt a huge loss of face in front of the whole world,” he said.

CrowdStrike was tracking the hacking group for several years and decided after the indictment of the Chinese officers to publish a report on their findings, to call attention to the breadth of the military’s actions, said Kurtz.

CrowdStrike said the hacking group it has tracked since 2012, believed to be linked to Unit 61486, has hacked into companies throughout the world to steal corporate trade secrets, focusing on the satellite, aerospace and communication industries. It did not name specific companies in the report.

Space Surveillance

The PLA’s Third General Staff Department is “widely accepted” to be China’s primary agency for signals intelligence, and the 12th Bureau supports China’s space surveillance network, it said. The identification of the army unit, which shared infrastructure with the hacking group indicted by the U.S., is significant as such information is usually classified.

The hacking group exploits popular productivity applications such as Adobe Reader and Microsoft Office to deploy custom malware through targeted e-mail attacks, CrowdStrike said. Domains registered by Chen Ping were used to control malware and were registered to an address corresponding to the physical location of the PLA’s 12th Bureau in Shanghai, it said.

Some hackers were identified from clues they left inside their attack code and on social-media accounts, Kurtz said. Attacks subsided briefly after perpetrators were identified but quickly picked back up, he said.

“It’s like cockroaches when you turn the lights on -- they scatter but they’re going to be back,” he said.

Irvine, California-based CrowdStrike was founded by Kurtz, former chief technical officer at Intel Corp.’s McAfee division, Dmitri Alperovitch, former vice president of Threat Research at McAfee, and Gregg Marston, former chief financial officer at Foundstone, a computer security company now owned by McAfee. Company executives include Shawn Henry, a retired executive assistant director of the FBI.

— With assistance by Chris Strohm, and Henry Sanderson

Before it's here, it's on the Bloomberg Terminal.