APT 002
Also known as: Putter Panda, MSUpdater
Suspected attribution: China, Unit 61486
Target sectors: Government, defense, research, and technology sectors in the United states, with specific targeting of space, aerospace, and communications
Overview: Putter Panda is a cyber espionage actor that conducts operations from shanghai, China, likely on behalf of the Chinese People’s liberation army (Pla) 3rd General staff department 12th Bureau Unit 61486. this unit is supports the space based signals intelligence (sIGInt) mission. The 12th Bureau Unit 61486, headquartered in shanghai, is widely accepted to be China’s primary sIGInt collection and analysis agency, supporting China’s space surveillance network. They focus their exploits against popular productivity applications such as adobe reader and Microsoft office to deploy custom malware through targeted email attacks. Crowdstrike identified Chen Ping, aka cpyy, a suspected member of the Pla responsible for procurement of the domains associated with operations conducted by Putter Panda.
Associated malware:
Tools used: 3PARA RAT, pngdowner, httpclient, 4H RAT
Attack vectors: Putter Panda is a determined adversary group, conducting intelligence-gathering operations targeting the Government, defense, research, and technology sectors in the United states, with specific targeting of the Us defense and European satellite and aerospace industries
Further reading:
- Crowdstrikes report on Putter Panda
- Malicious Mandiant Report in Circulation
- Puttering into the Future
IOC’s: Download from GitHub here.