(Repeats from Sunday; no changes to text)
By Jeremy Wagstaff
SINGAPORE, June 21 Security researchers have
many names for the hacking group that is one of the suspects for
the cyberattack on the U.S. government's Office of Personnel
Management: PinkPanther, KungFu Kittens, Group 72 and, most
famously, Deep Panda.
But to Jared Myers and colleagues at cybersecurity company
RSA, it is called Shell Crew, and Myers' team is one of the few
who has watched it mid-assault - and eventually repulsed it.
Myers' account of a months-long battle with the group
illustrates the challenges governments and companies face in
defending against hackers that researchers believe are linked to
the Chinese government - a charge Beijing denies.
"The Shell Crew is an extremely efficient and talented
group," Myers said in an interview.
Shell Crew, or Deep Panda, are one of several hacking groups
that Western cybersecurity companies have accused of
hacking into U.S. and other countries' networks and stealing
government, defence and industrial documents.
The attack on the OPM computers, revealed this month,
compromised the data of 4 million current and former federal
employees, raising U.S. suspicions that Chinese hackers were
building huge databases that could be used to recruit spies.
China has denied any connection with such attacks and little
is known about the identities of those involved in them.
But cybersecurity experts are starting to learn more about
their methods.
Researchers have connected the OPM breach to an earlier
attack on U.S. healthcare insurer Anthem Inc, which
has been blamed on Deep Panda.
RSA's Myers says his team has no evidence that Shell Crew
were behind the OPM attack, but believes Shell Crew and
Deep Panda are the same group.
And they are no newcomers to cyber-espionage.
CrowdStrike, the cybersecurity company which gave Deep Panda
its name due to its perceived Chinese links, traces its
activities to 2011, when it launched attacks on defence, energy
and chemical industries in the United States and Japan.
But few have caught them in the act.
SHELL CREW IN ACTION
In February 2014 a U.S. firm that designs and makes
technology products called in RSA, a division of
technology company EMC, to fix an unrelated problem. RSA
realised there was a much bigger one at hand: hackers were
inside the company's network, stealing sensitive data.
"In fact," Myers recalls telling the company, "you have a
problem right now."
Myers' team could see hackers had been there for more than
six months. But the attack went back further than that.
For months Shell Crew had probed the company's defences,
using software code that makes use of known weaknesses in
computer systems to try to unlock a door on its servers.
Once Shell Crew found a way in, however, they moved quickly,
aware this was the point when they were most likely to
be spotted.
SPEARPHISHING
On July 10, 2013, they set up a fake user account at an
engineering portal. A malware package was uploaded to a site,
and then, 40 minutes later, the fake account sent emails to
company employees, designed to fool one into clicking on a link
which in turn would download the malware and open the door.
"It was very well timed, very well laid out," recalls Myers.
Once an employee fell for the email, the Shell Crew were in,
and within hours were wandering the company's network. Two days
later the company, aware employees had fallen for the emails -
known as spearphish - reset their passwords. But it was
too late: the Shell Crew had already shipped in software to
create backdoors and other ways in and out of the system.
For the next 50 days the group moved freely, mapping the
network and sending their findings back to base. This, Myers
said, was because the hackers would be working in tandem with
someone else, someone who knew what to steal.
"They take out these huge lists of what is there and hand it
over to another unit, someone who knows about this, what
is important," he said.
Then in early September 2013, they returned, with specific
targets. For weeks they mined the company's computers,
copying gigabytes of data. They were still at it when the RSA
team discovered them nearly five months later.
Myers' team painstakingly retraced Shell Crew's movements,
trying to catalogue where they had been in the networks and what
they had stolen. They couldn't move against them until they were
sure they could kick them out for good.
It took two months before they closed the door, locking the
Shell Crew out.
But within days they were trying to get back in, launching
hundreds of assaults through backdoors, malware and webshells.
Myers says they are still trying to gain access today,
though all attempts have been unsuccessful.
"If they're still trying to get back in, that lets you know
you're successful in keeping them out," he said.
(Additional reporting by Joseph Menn; Editing by Rachel
Armstrong and Mark Bendeich)