Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more

China’s Deep Panda hacking crew, considered one of the world’s best for its skilled insertion of malware into adversaries’ data streams, has apparently changed its snooping habits.

Deep Panda has switched its focus, at least temporarily, from American technology giants and financial targets to major U.S. think tanks who employ former ranking government officials.

The change is likely coming about because Deep Panda is now focusing its resources on the Middle East, in particular Iraq, where the Chinese government has considerable investments in the oil sector. Those assets are now under threat by the Islamic State of Iraq and Syria (the self-declared “caliphate” known as ISIS), which has been capturing government refineries.

This analysis is according to Crowdstrike’s VP of intelligence Adam Myers. Crowdstrike is a security technology outfit based in Washington, D.C.

“As ISIS has become more active in Iraq since June, we saw that Deep Panda switched gears to targets in the Middle East,” Myers said.

Using its own proprietary Falcon Host endpoint security tools, Crowdstrike has been tracking Deep Panda for over three years. In particular, Myers and his team have been following the exploits of Deep Panda’s chief tool developer, which he said has a direct connection to the Chinese military.

Many of America’s biggest and most renowned think tanks employ former high-ranking government officials who maintain serious connections to U.S. pols. Deep Panda, knowing this, has focused its hacking in this direction. Myers said Deep Panda specializes in effective malware campaigns by hacking into web applications, taking control of web servers, database attacks known as SQL injections, and by targeting vulnerabilities in Microsoft’s PowerShell applications.

According to Crowdstrike’s blog post on Deep Panda:

“This actor (Deep Panda), who was engaged in targeting and collection of Southeast Asia policy information, suddenly began targeting individuals with a tie to Iraq/Middle East issues. This is undoubtedly related to the recent Islamic State of Iraq and the Levant (ISIS) takeover of major parts of Iraq and the potential disruption for major Chinese oil interests in that country. In fact, Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq’s oil sector.”

Despite compiling a considerable intelligence dossier on Deep Panda, Myers’ admits little else is know about the unit, thought to be like its sister unit, Putter Panda, also beholden to China’s military. Indeed, Myers said he doesn’t know where the unit is based, although one of its members has been traced to a facility in the Chinese city of Shanghai.

At the end of the day, Myers said, Deep Panda is dangerous.

According to Crowdstrike:

“Deep Panda presents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defense contractors, and government agencies. Due to their stellar operational security and reliance on anti-forensic and anti-IOC detection techniques, detecting and stopping them is very challenging without the use of next-generation endpoint technology like Falcon Host.”

Read Crowdstrike’s blog post on Deep Panda here.


VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more
Become a member