Cyber-espionage has become an ever more important national security concern, carried out as they are by sophisticated, nation-state-sponsored cyber intrusion groups bent on stealing intellectual property or tapping military secrets. One of these, a Chinese consortium known as Deep Panda, has been found recently targeting national security think tanks with an approach that signals changing geo-political concerns within the Chinese government.
For almost three years now, CrowdStrike has monitored Deep Panda targeting critical and strategic business verticals including government, defense, financial, legal, and the telecommunications industries. But it would seem that tactics and targets are evolving: in the past week, the threat actor, who was originally engaged in the targeting and collection of Southeast Asia policy information, suddenly began targeting senior individuals at think tanks involved in geopolitical policy issues in Iraq and the Middle East.
The firm called it a “radical change in targeting.”
“This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil interests in that country,” Crowdstrike noted in a blog. “In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq’s oil sector. Thus, it wouldn’t be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper US military involvement that could help protect the Chinese oil infrastructure in Iraq. In fact, the shift in targeting of Iraq policy individuals occurred on June 18, the day that ISIS began its attack on the Baiji oil refinery.”
According to CrowdStrike, Deep Panda’s attack efforts are highly customized and reflective of the status quo for cyber-spying. “The intelligence services of these nation states are always on the lookout for any clues they may extract from such private communications that may give them an advanced insight into what options government policy makers are considering on particular issues of interest,” it noted. “At the same time, with access to the victim email mailboxes, the adversaries can craft very realistic spear-phishing lures to the government contacts of targeted think tank personnel by piggybacking on ongoing real conversations and increasing their chances of a successful compromise of an official government email account.”
Think tanks of course face some of the most advanced nation-state adversaries because the individuals who are typically targeted at these institutions tend to be former senior government officials who still have many contacts within Western governments. And, as such, their private correspondence is of extreme interest to these attackers.
“[We believe] Deep Panda knew exactly which users to target at the think tanks based on their research policy area because they rapidly pivoted from China/Asia Pacific policy experts to Iraq/Middle East policy experts once their tasking collection requirements changed,” the firm said.