SINGAPORE – Security researchers have many names for the hacking group that is one of the suspects for the cyberattack on the U.S. government’s Office of Personnel Management (OPM): PinkPanther, KungFu Kittens, Group 72 and, most famously, Deep Panda.
But to Jared Myers and his colleagues at the cybersecurity company RSA, it is called Shell Crew, and Myers’ team is one of the few that has watched it in midassault — and eventually repulsed it.
Myers’ account of a months-long battle with the group illustrates the challenges that governments and companies face in defending against hackers that researchers believe are linked to the Chinese government.
“The Shell Crew is an extremely efficient and talented group,” Myers said.
Shell Crew, or Deep Panda, is one of several hacking groups that Western cybersecurity companies have accused of hacking into U.S. and other countries’ networks and stealing government, defense and industrial documents.
The attack on the OPM computers, revealed this month, compromised the data of 4 million current and former federal employees, raising U.S. suspicions that Chinese hackers were building huge databases that could be used to recruit spies.
China has denied any connection with such attacks and little is known about the identities of those involved in them.
But cybersecurity experts are starting to learn more about their methods.
Researchers have connected the OPM breach to an earlier attack on the U.S. health care insurer Anthem Inc., which has been blamed on Deep Panda.
RSA’s Myers says his team has no evidence that Shell Crew was behind the OPM attack, but believes Shell Crew and Deep Panda are the same.
And they are no newcomers to cyberespionage.
CrowdStrike, the cybersecurity company that gave Deep Panda its name due to its perceived Chinese links, traces its activities to 2011, when it launched attacks on defense, energy and chemical industries in the U.S. and Japan.
But few have caught it in the act.
In February 2014, a U.S. firm that designs and makes technology products called in RSA, a division of technology company EMC, to fix a problem. RSA realized there was a much bigger one at hand: Hackers were inside the company’s network, stealing sensitive data.
Myers’ team could see hackers had been there for more than six months. But the attack went back further than that.
For months, Shell Crew had probed the company’s defenses, using software code that makes use of known weaknesses in computer systems to try to unlock a door on its servers.
Once Shell Crew found a way in, it moved quickly, since this was the point when it was most likely to be spotted.
On July 10, 2013, it set up a fake user account at an engineering portal. A malware package was uploaded to a site, and then, 40 minutes later, the fake account sent emails to company employees, designed to fool one into clicking on a link that would download the malware and open the door.
Once an employee fell for the email, the Shell Crew members were in, and within hours were wandering the company’s network. Two days later the company, aware that employees had fallen for the emails, reset their passwords. But it was too late: The Shell Crew had already shipped in software to create back doors and other ways in and out of the system.
For the next 50 days, the group moved freely, mapping the network and sending their findings back to base. This, Myers said, was because the hackers would be working in tandem with someone else — someone who knew what to steal.
In early September 2013, they returned with specific targets. For weeks they mined the company’s computers, copying gigabytes of data. They were still at it when the RSA team discovered them nearly five months later.
Myers’ team painstakingly retraced Shell Crew’s movements, trying to catalogue where they had been in the networks and what they had stolen. They couldn’t move against the group until they were sure they could kick them out for good.
It took two months before they closed the door, locking the Shell Crew out.
But within days they were trying to get back in, launching hundreds of assaults. Myers says they are still trying to gain access today, though all attempts have failed.