Chinese hackers switched targets to U.S. experts on Iraq

Deep Panda targeted think tank experts as China's government worried about oil investments in Iraq during Sunni rebellion

A sophisticated Chinese hacker group that had been stealing information from U.S. policy experts on nearby Southeast Asia suddenly changed targets last month to focus on the Middle East -- Iraq, in particular -- security researchers said Monday.

The group, called "Deep Panda," switched from exploiting one area of expertise to another because of the march of the Islamic State of Iraq and the Levant (ISIS) towards Baghdad, and the collapse of Iraq's security forces in the north and west of the country.

"The networks [of the think tanks] had been previously compromised, but Deep Panda pivoted to target systems and individuals with ties to the Middle East and Iraq," said Dmitri Alperovitch, co-founder and CTO of CrowdStrike, an Irvine, Calif. security company, of the overnight switch. The shift in Deep Panda's targeting happened on June 18, the day that ISIS began to attack the strategically important oil refinery at Baiji, 155 miles north of Baghdad.

China is the largest foreign investor in Iraqi oil fields, and draws about 10% of its oil imports from the country. Most of China's oil investments, however, are in southern Iraq.

The ISIS' quick gains and China's large stake in Iraq were behind the targeting changes, Alperovitch said. Deep Panda's switch made clear that China's government wanted to know what policy makers here thought was happening in Iraq and what military moves the U.S. might make to stabilize the situation.

President Barack Obama ended up sending several hundred military advisors to Iraq last month.

CrowdStrike, which has tracked Deep Panda for three years, believes the group either works for or is actually funded by the Chinese government. "It's an intelligence operation, with a very far and wide collection mission to keep policy makers in China informed," said Adam Meyers, vice president of intelligence at CrowdStrike.

"This shows how much control [the Chinese government] has over this group," added Alperovitch, of the sudden targeting shift.

"It was representative of a new priority" of Deep Panda's controllers or sponsors, echoed Meyers.

Deep Panda has successfully infiltrated technology companies, legal firms, policy think tanks and human rights organizations in part because of its advanced tradecraft, said Meyers. Once inside a network, the gang often uses Windows' native tools for as much of its work as possible, part of an attempt to keep a low profile and escape detection by security software.

"It's one of the best groups out of China in tradecraft," said Alperovitch, "because it's not using techniques that can be easily viewed." CrowdStrike currently tracks about 30 hacker groups based in China.

Deep Panda often mines the contacts of policy experts, including those still in government, to craft more convincing emails aimed at those latter officials, in the hope that a click will compromise their PCs, said CrowdStrike.

The company was able to sniff out Deep Panda's targeting switch because it has provided dozens of think tanks and human rights organizations with its Falcon Host technology free of charge. Falcon Host, said Alperovitch and Meyers, gives network administrators a virtual over-the-shoulder view of hackers' moves in real time, and provides the kind of forensics information that typically takes weeks or months of painstaking research to collect.

Alperovitch declined to name the think tanks that had been targeted by Deep Panda when it shifted its aim at experts in the Middle East and Iraq.

CrowdStrike has published a technical analysis of the latest Deep Panda campaign on its website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingintrusionCrowdStrikesecuritycyberwarfaredata breachExploits / vulnerabilities

More about AppleGoogleISIS GroupMicrosoftPandaTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts