Chinese hackers target Iraqi experts over oil interests


The Chinese hacker group Deep Panda, infamous for intelligence gathering on Southeast Asia and spying on US tech companies, has switched its targets to US security think tanks and Iraqi experts.

According to Crowdstrike, a US-based security technologies provider, the Chinese hacker group Deep Panda has recently began targeting senior officials at US security think tanks with ties to Iraq.

“This actor, who was engaged in targeting and collection of Southeast Asia policy information, suddenly began targeting individuals with a tie to Iraq/Middle East issues,” Cyberstrike’s co-founder and CTO Dmitri Alperovitch wrote in a blog post on their website.

“This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil interests in the country.”

Since the 2003 invasion, Iraq has witnessed a major increase in oil production making the country the second largest crude oil producer in OPEC, surpassing Iran in 2012, according to the US Energy Information Administration (EIA).

The People’s Republic of China is Iraq’s largest oil consumer and is projected to become the largest net oil importer globally this year.

Though little is known about the organisation, Cyberstrike alleges links to the People’s Liberation Army (PLA) in China.

In 2011, the PLA unveiled a new branch focusing on cyber attacks and information warfare (IE). Though the PLA’s cyber security squad was allegedly created to defend China from cyber attacks, the US has expressed concerns regarding their connection to hacking incidents on government agencies and tech companies within their borders.

“PLA leaders have embraced the idea that successful warfighting is predicated on the ability to exert control over an adversary’s information and information systems, often preemptively. This goal has effectively created a new strategic and tactical high ground, occupying which has become just as important for controlling the battlespace as its geographic equivalent in the physical domain,” notes a US government report on China’s capabilities for cyber espionage published in 2012.

In May 2014, a US court indicted five Chinese military officers for hacking American energy companies in order to presumably steal trade secrets, though the Chinese government fervently denied the accusations.

Deep Panda’s strategies are intrinsically disconcerting for today’s cyber security protocols as they are able to bypass them without being detected. The elements they use are not stored on the target’s computer. Instead, they rely on the computer’s memory to access content.

Deep Panda cyber attack strategy (graphic: Crowdstrike)

“By running them from memory, it leaves no disk artefacts or host-based IOCs [Indicator of Compromise] that can be identified in forensic analysis. This is typical for DEEP PANDA – stealth is their speciality and they prefer to operate in a way that leaves a minimal footprint on a victim system and often allows them to evade detection for a very long time,” Alperovitch noted on the blog post.

As such, Cyberstrike identifies Deep Panda as a dangerous adversary in cyberwarfare, whether connected to China’s PLA or acting out of its own volition.

On Monday, the PLA’s official newspaper announced the creation of the Cyberspace Strategic Intelligence Research Centre, which aims to “provide strong support in obtaining high-quality intelligence research findings and help China gain advantage in national information security.”