Deep Panda is a cyber espionage group from China with suspected links to the Chinese government. The group is highly sophisticated and diligent at covering its tracks—hence there is no clear evidence of who these individuals are or their affiliations.
All intelligence agencies and cyber security firms know for sure is that Deep Panda operates out of China.
With cyber-attacks on the rise, ALL companies must keep account credentials safe using a password manager like TeamPassword. Sign up for a 14-day free trial.
Who is Deep Panda?
CrowdStrike was the first security firm to discover Deep Panda back in 2011 when the cyberespionage group attempted to hack a Fortune 500 company.
"Deep" is the group's reference name, while "Panda" is CrowdStrike's codename for Chinese hacker groups.
Deep Panda focuses on defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services.
The group primarily targets US governmental institutions and multinational corporations to steal state secrets and intellectual property. Security firms and intelligence agencies have also linked Deep Panda to Southeast Asia, Japan, and South America cyber attacks.
Deep Panda Aliases
Deep Panda has several aliases from security agencies and references to the group's malware.
- KungFu Kittens
- Group 72
- Shell Crew
- Black Vine
- APT19 (Advanced Persistent Threat 19 - US federal government classification) - there is some contention among analysts whether Deep Panda is APT19.
What does Deep Panda do?
Deep Panda's primary goal is to infiltrate networks to gather intelligence and steal state and private organization's secrets.
The group is highly organized and is known to remain undetected on networks for months at a time. Even when security teams know Deep Panda is on a network, it can take months to remove them completely.
Deep Panda uses multiple pieces of malware in a single attack. These packages help Deep Panda connect to a device or network, write code to infect other connected systems, and remove log data so that anyone monitoring the system won't know the group is online.
Deep Panda is also excellent at creating multiple "backdoors" once inside a system. These backdoors give Deep Panda continued access to a system, even when security teams change everyone's passwords.
In most cases, it takes months to get Deep Panda off of a network because they keep creating backdoors to outsmart those trying to remove them.
Famous Deep Panda Attacks
Deep Panda is behind some of the most intricate and sophisticated attacks over the last decade. These are some of the group's biggest hits.
It's important to note that authorities and security analysts only suspect Deep Panda's involvement in these crimes due to the modus operandi and toolsets used in these attacks.
Adobe Breach 2013
In mid-2013, Deep Panda breached the Adobe ColdFusion web app server via a known software vulnerability.
Once inside, Deep Panda quickly installed malware, created backdoors, and began stealing user data, including usernames, passwords, and payment data, for 38 million Adobe users.
In addition, the group stole source code for Adobe Acrobat, Adobe Reader, Photoshop, and ColdFusion.
To rub salt in the wounds, Adobe had to settle a $1 million lawsuit filed by 15 state attorneys general.
United States Office of Personnel Management (OPM) Breach - 2015
In 2015, Deep Panda breached OPM with the intent of stealing government employee data. The group managed to steal 22.1 million government employees' personal records, including associated friends and family background checks.
At the time, the OPM attack was recorded as the biggest government data breach in history.
The records included full names, SSNs, dates and places of birth, and physical addresses.
Deep Panda managed to breach OPM's systems twice. In one of the breaches, attackers posed as an employee of OPM subcontractor, KeyPoint Government Solutions, to acquire legitimate login credentials.
Hackers used PlugX to create a backdoor into the system, a signature Deep Panda maneuver.
In 2017, the FBI arrested Chinese national Yu Pingan at LA International Airport for providing the "Sakula" malware used in the OPM data breach. Pingan spent 18 months in a federal detention center before pleading guilty. The US deported Pingan in 2019.
Security analysts believe the OPM attack was part of an operation to build a database of US government employees. The Chinese government uses these databases to recruit spies or bribe to obtain government secrets.
Anthem Medical Data Breach - 2015
In 2015 hackers breached Anthem's systems stealing approximately 80 million personal records—excluding payment and medical data.
The records included the following personal information:
- Full names
- Date of birth
- Medical IDs
- Home addresses
- Email addresses
- Employment information
- Income data
Analysts warned that criminals could use the Anthem data for identity theft scams or spear-phishing attacks.
US authorities have withheld any information to implicate any criminal group but have indicated that a foreign government likely ordered the attack.
Security analysts speculate that Deep Panda is responsible for the Anthem breach.
How Does Deep Panda Breach Networks?
Deep Panda is highly skilled at finding software vulnerabilities and carrying out sophisticated social engineering attacks.
Deep Panda likely receives information from spies to acquire the intelligence necessary to carry out its attacks.
When Deep Panda breaches a system via a software vulnerability, they often set up a fake user to deploy a spear-phishing attack. Because the correspondence appears to come from the network, it's almost impossible for employees to know it's malicious.
Once a user clicks on one of the links, Deep Panda has access to the device and connected networks.
How Can You Protect Yourself?
An advanced persistent threat is only concerned with institutions and businesses linked to governments or multinational corporations. While it's highly unlikely Deep Panda will ever attack your business, hackers using similar tactics might!
At TeamPassword, we're always advocating for businesses to promote cyber security awareness. Security vulnerabilities constantly evolve, so companies must regularly host cyber awareness sessions, especially if your team comprises remote workers and freelancers.
TeamPassword—Your First Line of Defence
With all your passwords in one place, team members only need one of TeamPassword's browser extensions (Chrome, Firefox, and Safari) to log into websites, social media accounts, productivity tools, and more.
Our password manager includes two-factor authentication (2FA), so even if attackers steal an employee's password, they can't gain access to your TeamPassword account.
Get the password manager with robust security features built for sharing. Let TeamPassword manage authentication so you can focus on creating amazing products and services for your customers.