Scroll Top

APT 2 (PLA UNIT 61486) Unveiling the espionage operations of Putter Panda

In the complex landscape of cyber espionage and international intelligence warfare, the unveiling of APT 2 – PLA Unit 61486, also known as Putter Panda, is a significant milestone that sheds light on China’s sophisticated efforts to infiltrate American, Japanese, and European corporations. The unit’s focus on satellite and communications technology highlights its role in China’s broader campaign to steal trade secrets and military information from foreign entities. This article delves deep into the history, operations, and consequences of APT 2 – PLA Unit 61486’s activities, revealing the methods they employed, the individuals behind the attacks, and the international reactions that followed.

History and background
APT 2 – PLA Unit 61486 is a secretive bureau operating within the Operations arm of the Third Department of China’s General Staff Department. Its designation as Unit 61486 is a Military Unit Cover Designator (MUCD), strategically designed to obscure its true identity. Although the earliest indications of the unit’s existence date back to 2007, its true nature remained concealed until its exposure in 2014. This exposure was facilitated by the digital security firm CrowdStrike, which released a comprehensive report detailing Unit 61486’s activities.

The timing of the report was significant, as it came in the wake of the exposure of another PLA unit, Unit 61398, and the subsequent indictment of five members of that unit by the United States. This context adds depth to the global intrigue surrounding China’s cyber espionage activities, making it a focal point in the ongoing tensions between China and the Western world.

Operations and techniques
Unit 61486’s operations primarily relied on spear-phishing, a technique that involves sending targeted emails containing malicious attachments to specific individuals. These attachments exploited vulnerabilities in popular software such as Adobe Reader and Microsoft Office, allowing attackers to gain access to the victims’ computers. The unit’s choice of targets was noteworthy—individuals associated with aerospace, satellite, and communications industries, with a particular focus on golf players. This earned the unit the nickname “Putter Panda,” symbolizing its Chinese origin (“panda”) and its affinity for targeting golf players (“putter”).

A notable example of their operations involved an email brochure masquerading as a yoga studio advertisement, which led to the theft of personal information from the recipient. Unit 61486 leveraged Adobe Reader and Microsoft Office as vehicles for delivering malware, enabling them to access and exfiltrate sensitive data from compromised systems.

Exposing of operations
The unveiling of Unit 61486 was a pivotal moment in the ongoing cyber espionage narrative. CrowdStrike’s report, released in June 2014, meticulously linked the activities of the unit to an individual known as Chen Ping, whose online alias was “cpyy.” This individual was tied to the registration of domains used in the cyber attacks. The report provided detailed evidence of Chen Ping’s involvement in PLA Unit 61486, including photographs from his personal blogs that indicated his connection to the Chinese military.

CrowdStrike’s investigation also revealed the potential location of Unit 61486’s headquarters—within the Zhabei District of Shanghai. Imagery analysis and correlation of domain registrations pointed to a building within this district as the likely headquarters of the unit. This connection between Chen Ping and the Shanghai location further solidified the attribution.

International responses and implications
The revelation of Unit 61486’s activities triggered a series of international responses and diplomatic tensions. The Chinese Foreign Ministry vehemently denied the allegations, labeling them as unfounded and accusing the United States of hypocrisy in light of their own cyber espionage operations. China’s stance was emboldened by Edward Snowden’s revelations about America’s surveillance programs, which China used to counter the accusations leveled against them.

The disclosure also underscored China’s proactive efforts to acquire technological advancements through cyber espionage. Unit 61486’s targeting of aerospace, satellite, and communications industries highlights China’s strategic focus on stealing valuable intellectual property to enhance its own military and economic capabilities.

APT 2 – PLA Unit 61486, or Putter Panda, serves as a poignant example of the modern complexities of cyber warfare and espionage. Its exposure and subsequent international reactions have illuminated the evolving landscape of intelligence warfare, showcasing China’s persistent efforts to gain a technological advantage through the theft of trade secrets and military information. As the world continues to grapple with cyber threats, the case of Unit 61486 stands as a reminder of the need for constant vigilance and collaboration in countering state-sponsored cyber attacks.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.