{ "id": "fc799a3b-ac4f-4dd9-901d-0075d902e1fc", "created_at": "2026-04-06T00:13:15.105728Z", "updated_at": "2026-04-10T03:38:09.690146Z", "deleted_at": null, "sha1_hash": "666ef1d8ca3ef0d5574ca60615263941534f6fe0", "title": "Stealing US business secrets: Experts ID two huge cyber 'gangs' in China", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54852, "plain_text": "Stealing US business secrets: Experts ID two huge cyber 'gangs' in\r\nChina\r\nBy Mark Clayton\r\nArchived: 2026-04-05 21:12:42 UTC\r\nSneaky Panda. The Elderwood Gang. The Beijing Group.\r\nThese are three code names bestowed by US experts on a single cyberespionage organization that, from 9 to 5\r\nBeijing time each day, is at work siphoning the crown jewels of US corporations' proprietary data out of their\r\nnetworks – and into computers in China.\r\nIn January 2010, Internet search giant Google disclosed that someone had hacked into its network (not to mention\r\n20 other tech companies). That someone was the Elderwood Gang, says a new report by Symantec, a\r\ncybersecurity company.\r\nThe Symantec report hints at what other US cybersecurity experts are saying with increasing conviction: that\r\nElderwood is one of two large Chinese economic cyberespionage organizations – employing perhaps hundreds of\r\npeople – which are working to vacuum business ideas and advanced designs from American computer networks.\r\nFor example, these experts are now connecting Elderwood and a second Chinese hacking group to attacks on top\r\ncybersecurity company RSA, defense-industry giant Lockheed Martin, and perhaps several US natural gas\r\npipeline companies.\r\nIt has long been claimed by US cybersecurity experts that cyberspying to harvest intellectual property, rather than\r\nquick cash from online bank accounts, was a practice emanating mostly from China. Plausible deniability remains\r\nbecause attribution is so uncertain in cyberspace. Chinese embassy officials in Washington routinely deny any\r\nresponsibility for cyberespionage on US targets.\r\nYet there are signs now that the attribution problem is closer to being solved, US experts say.\r\n\"We're tracking over a dozen nation-state groups right now that are affiliated with China,\" says Dmitri\r\nAlperovitch, chief technology officer for CrowdStrike, a startup cybersecurity company focused on taking\r\nundisclosed \"offensive\" security measures. \"We have a deep understanding of them and attribution down to the\r\nindividual level. They're operating in China, and we're watching them. Even though they're unlikely be brought to\r\njustice in the US, we understand a lot today.\"\r\nAmong the 20 or so identifiable Chinese cyberespionage groups, the two that dwarf the others are the Elderwood\r\nGang and the Comment Crew. The two have many different names, with researchers giving them different\r\nmonikers. To Dell Secureworks cyber counterspy expert Joe Stewart, they are the Beijing Group and the Shanghai\r\nGroup because of where their activities seem to originate. To Mr. Alperovitch of CrowdStrike, they are Sneaky\r\nPanda and Comment Panda.\r\nhttps://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China\r\nPage 1 of 4\n\nSymantec called the first group “Elderwood” because the name appears in a source-code variable used by the\r\nattackers. In Google's case, the gang reportedly made off with at least some of the search company's source code –\r\nsecret algorithms that have made it so successful. Nobody knows exactly how much was stolen from the networks\r\nof the other companies.\r\nToday, 2-1/2 years later, Google has abandoned the Chinese market, but Elderwood is alive and doing quite well,\r\nits cyberspies busy as ever, the Symantec analysis shows. Second-tier defense industry suppliers that make\r\nelectronic or mechanical components for top defense companies are the gang's specialty. Those firms then become\r\na cyber \"stepping stone to gain access to top-tier defense contractors,\" the report says.\r\nBut Elderwood's appetite for information is broad and its capacity far larger than the defense industry alone. So, in\r\nat least eight major \"campaigns\" in less than two years, the gang has slipped into the networks of US shipping,\r\naeronautics, arms, energy, manufacturing, engineering, electronics, financial, and, of course, software companies,\r\nSymantec reports.\r\nIn most cases, Elderwood uses a convincing \"spear-phishing\" fake e-mail to fool an employee into clicking an\r\ninfected e-mailed link or into opening a Trojan software-infected attachment that creates a digital backdoor for the\r\ncyberspies. In many cases, these attacks have utilized costly \"zero-day\" malware that takes advantage of a\r\npreviously unknown flaw against which no defense exists. Such technology would sell for at least six figures on\r\nthe cyber black market, leading many to conclude the group is exceedingly well funded.\r\nLately, however, Elderwood has taken to infecting legitimate websites frequented by employees of the target\r\ncompany – a so-called \"water hole\" attack, just as lions stake out a watering hole for their prey. Elderwood infects\r\nthese less-secure sites with malware that downloads to a computer that clicks on the site. After that, the gang\r\nsnoops inside the network to which the infected computer is connected, finding and finally downloading\r\nexecutives' e-mails and critical documents on company plans, decisions, acquisitions, and product designs.\r\n\"Victims are attacked, not for petty crime or theft, but for the wholesale gathering of intelligence and intellectual\r\nproperty,\" Symantec reports. \"The resources required to identify and acquire useful information – let alone analyze\r\nthat information – could only be provided by a large criminal organization, attackers supported by a nation state,\r\nor a nation state itself.\"\r\nThis sort of activity is hardly unknown to US cybersecurity experts, who have long dubbed it the \"advanced\r\npersistent threat\" – a euphemism taken to mean espionage threats originating from China. Mr. Stewart of Dell\r\nSecureworks has traced the activity of the Elderwood Gang (which he calls the Beijing Group) and the Comment\r\nCrew (which he calls the Shanghai Group) back to 2005-2006. He says they are responsible for perhaps 90 percent\r\nof all economic espionage against the US today.\r\n\"Both groups surface time and again in different reports you read,\" he says. \"Someone discovers some malware\r\nand gives it a snazzy name. But it's all the same activity underneath.\"\r\nTechnical links – including IP addresses, domain names, malware signatures, and other technical factors – show\r\nElderwood was behind the attack on Google, which is known as Operation Aurora, he says.\r\nStewart also ties Elderwood to other major hacks, including one against Tibetan activists – the \"GhostNet\" global\r\ncyberespionage network documented by University of Toronto Researchers in 2010 – and the major hack of RSA,\r\nhttps://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China\r\nPage 2 of 4\n\nthe Bedford, Mass., cybersecurity subsidiary of EMC corporation.\r\nIn 2010, Alperovitch of CrowdStrike was vice president of threat research for McAfee, the cybersecurity company\r\nthat analyzed the Aurora intrusion at Google. He agrees with Stewart that the group behind Aurora is the same one\r\nthat hacked RSA and later attempted to hack defense giant Lockheed Martin.\r\n[Editor's note: The original version of this story misidentified Mr. Alperovitch’s role at McAfee.]\r\nIn 2011, while still at McAfee, he went on to reveal Comment Crew (which he calls Comment Panda) operating\r\nalongside Elderwood. It's called that because the group so often uses a technique involving internal software\r\n\"comment\" features on web pages as a tool to infiltrate target computers.\r\nComment Crew, Alperovitch found, had infiltrated at least 72 organizations including defense companies, the\r\nInternational Olympic Committee, and the United Nations. He dubbed Comment Crew's campaign Operation\r\nShadyRAT – \"RAT\" standing for \"remote access tool,\" the name for malware used to control computer systems\r\nremotely.\r\nStewart then discovered a flaw in the malicious software used by the Operation ShadyRAT operators, and that\r\nallowed him to track back pilfered data to the perpetrators' computer addresses in Shanghai.\r\nBoth big hacker groups were involved in the RSA hack, he has concluded.\r\nEvidence was already strong that at least one and perhaps both were involved in one of this year's major\r\ncyberespionage attacks – infiltrating the networks of US natural gas pipeline companies, an attack first reported by\r\nthe Monitor in May.\r\nDigital signatures, domain names, and other indicators used by the hackers in the RSA case, which were Chinese\r\nin origin, lined up with those in the pipeline case, experts told the Monitor at the time.\r\n\"The indicators DHS provided to hunt for the gas-pipeline attackers included several that, when we checked them,\r\nturned out to be related to those used by the perpetrators of the RSA attack,\" Robert Huber, co-founder of Critical\r\nIntelligence, an Idaho Falls, Idaho, security company told the Monitor at the time. \"It makes it highly likely that\r\nthe same actor was involved in both intrusions.\"\r\nStewart, who has spent the past 20 months cataloging the digital infrastructure of the two groups, is staggered by\r\nthe number of personnel that must be involved. He has discovered hundreds of families of custom made malware,\r\nsuggesting hundreds of employees and maybe even thousands – some hackers, but many more researchers that\r\nsupport their activities, as well as analysts to cull and process the stolen information.\r\nIt suggests a state-supported or at least state-tolerated institution of large and well-funded proportions. Supporting\r\nthis conclusion, he says, is the fact that the pair of attackers routinely target entire industry groups, not just\r\nindividual companies.\r\n\"Everyone that does cybersecurity for a living should know about these two groups,\" Stewart says. \"It's taken\r\nabout five years for experts to understand what's really going on – and it's pretty well understood now. But people\r\nin our industry don't share this kind of information very freely so it's hard to get up to speed. Just getting antivirus\r\nvendors to agree on a name would be a huge leap.\"\r\nhttps://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China\r\nPage 3 of 4\n\nSource: https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China\r\nhttps://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China" ], "report_names": [ "Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China" ], "threat_actors": [ { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a339e456-3f5a-40e9-b293-233281105e85", "created_at": "2022-10-25T15:50:23.260847Z", "updated_at": "2026-04-10T02:00:05.248583Z", "deleted_at": null, "main_name": "Elderwood", "aliases": [ "Elderwood", "Elderwood Gang", "Beijing Group", "Sneaky Panda" ], "source_name": "MITRE:Elderwood", "tools": [ "PoisonIvy", "Naid", "Briba", "Hydraq", "Linfo", "Nerex", "Vasport", "Wiarp", "Pasam" ], "source_id": "MITRE", "reports": null }, { "id": "57d2c58d-0445-441f-b94f-99d217b9e3c4", "created_at": "2023-01-06T13:46:38.327743Z", "updated_at": "2026-04-10T02:00:02.930027Z", "deleted_at": null, "main_name": "Beijing Group", "aliases": [ "Elderwood", "Elderwood Gang", "SIG22", "G0066", "SNEAKY PANDA" ], "source_name": "MISPGALAXY:Beijing Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434395, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/666ef1d8ca3ef0d5574ca60615263941534f6fe0.pdf", "text": "https://archive.orkl.eu/666ef1d8ca3ef0d5574ca60615263941534f6fe0.txt", "img": "https://archive.orkl.eu/666ef1d8ca3ef0d5574ca60615263941534f6fe0.jpg" } }