Chinese APT ‘SharpPanda’ Developed Custom Backdoor to Spy on Asian Governments
Last updated September 28, 2021
Qihoo 360 is accusing the CIA (Central Intelligence Agency) of hacking Chinese government bodies and various companies for a period of 11 years. The cyber-security company claims that they have evidence of CIA agents accessing data of scientific research institutions, internet service companies, aviation organizations, petroleum firms, and various other entities that are based in Beijing, Zhejiang, and Guangdong. The Qihoo 360 researchers have allegedly found evidence that links the CIA with the extensive hacking campaign, in the form of tools, tactics, and procedures that are attributed with confidence to “APT-C-39”.
For example, they refer to “Vault 7” evidence, which is relevant to what WikiLeaks published back in March 2017, detailing the CIA’s electronic surveillance and cyber warfare activities. The person responsible for this leak is already facing trial in the United States for disclosing classified hacking tools, but the damage to the American intelligence body is already done as their secrets have been leaked. This empowers researchers like those of Qihoo 360 to identify CIA operations and link malicious activities back to them. According to them, the 11-year campaign involves the use of Fluxwire and Grasshopper, both being part of the Vault 7 revelations.
As the researchers mention in their report, which is peculiarly offline/inaccessible at the time of writing this: “By comparing relevant sample codes, behavioral fingerprints, and other information, the Qihoo 360 can be pretty sure that the cyber weapon used by the group is the cyber weapon described in the Vault 7 leaks. Qihoo 360 analysis found that the technical details of most of the samples are consistent with the ones in the Vault 7 document, such as control commands, compile PDB paths, encryption schemes. Through the study of the compilation time of malware, we can find out the developer's work schedule, so as to know the approximate time zone of his location.”
The US and China are on a trade and intelligence war right now, accusing each other of hacks and cyber-espionage operations. That said, seeing this report come from a Chinese cybersecurity company like Qihoo 360 means that we should take it with a grain of salt. This is especially the case when the company has a controversial past, like the one that we have analyzed in detail before. We can’t accuse Qihoo of reporting untruthful or made-up findings, but we wouldn’t be surprised if they were proven to play a supportive role for the Chinese government right now.