{ "id": "489f9fe1-c551-4634-b276-74a397d6016d", "created_at": "2026-04-06T15:54:19.231745Z", "updated_at": "2026-04-10T13:12:55.68785Z", "deleted_at": null, "sha1_hash": "7eff071b3c51132bc4677aa5af85f0a64fa39652", "title": "CrowdStrike Falcon Traces Attacks Back To Hackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98685, "plain_text": "CrowdStrike Falcon Traces Attacks Back To Hackers\r\nBy Mathew J. Schwartz\r\nPublished: 2013-06-17 · Archived: 2026-04-06 15:29:34 UTC\r\n5 Min Read\r\nThe Syrian Electronic Army: 9 Things We Know\r\n(click image for larger view)\r\nThe Syrian Electronic Army: 9 Things We Know\r\nWho's launching online attacks against your network? How can you better detect those attacks and -- if an attack\r\nturns out to be successful -- identify what was stolen?\r\nEnabling businesses to answer those questions is the premise of a cloud-based service announced Tuesday by\r\nsecurity startup CrowdStrike. Dubbed Falcon, the big-data \"active defense platform\" is designed to identify\r\nintrusions in real time, attribute attacks – correlate with a known group of attackers – and help businesses block\r\nattacks or even engage in counterintelligence or deception by feeding attackers fake information.\r\n\"This is the real-time damage assessment that no one is doing today,\" said Dmitri Alperovitch, the co-founder and\r\nCTO of CrowdStrike, speaking by phone. \"It shows you who the adversary is, what did they do [on your network],\r\nwhat did they take, which commands did they execute?\" The service works in part by running a small (400 KB)\r\n\"sensor\" on Windows 7 and Mac OS X systems, bolstered by DNS, email and API sensors on servers, to track the\r\ntypes of attacks that are being launched. CrowdStrike then correlates attack information with intelligence that the\r\ncompany gathers on attack groups.\r\n[ NSA whistleblower's accusations deepen. Read Snowden Says U.S. Hacking Chinese Civilians Since 2009. ]\r\nAs highlighted by successful spear-phishing attacks against everyone from security giant RSA to the White House,\r\nstopping every last information security attack might be impossible. So-called advanced persistent threat (APT)\r\ngroups often use fake emails and attachments to infect targeted PCs and steal data, oftentimes without end users or\r\nsecurity teams being aware. Once attackers infect a single PC, unless they're detected, they can lurk in corporate\r\nnetworks indefinitely: telecommunications giant Nortel was compromised for 10 years, defense contractor\r\nQinetiQ for three years.\r\nhttp://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402\r\nPage 1 of 3\n\nSuch attacks are cheap to build and inexpensive to launch. Even if only one attack out of every 100 or 1,000\r\nattempts succeeds, that might equal success for attackers. Given that reality, CrowdStrike's play is to help\r\nbusinesses identify not just when they've been attacked, but also who stole the information, what they stole and\r\nwhy they targeted the business in the first place -- what's their bigger goal?\r\n\"The problem you've had for the past six to seven years is the emergence of targeted attackers, and for them, it\r\ndoesn't mater how many layers of defense you put in place; what they want is you,\" said Alperovitch. \"They want\r\nmoney, national secrets, intellectual property, and they're going to worm their way in, because the return on that\r\ninvestment is gigantic.\"\r\nCould defenders gain an edge by better understanding their attackers? \"From an adversary perspective, we really\r\nfocus on the targeted attackers,\" said Alperovitch. \"We're tracking lots of nation-state-sponsored groups that are\r\nworking to penetrate companies,\" he said, and \"understanding their campaigns, and tradecraft, as well as who\r\nthey're targeting.\"\r\nCrowdStrike has grouped attackers into \"adversary groups\" -- to date, about 48 in total -- named for country\r\ncharacteristics: \"pandas\" for groups operating from China; \"cats\" as in Persian cats for Iran; \"bears\" for Russia;\r\n\"saints\" for Georgia; and \"tigers\" for India. \"Some in the community refer to the adversary by the malware\r\ndetection name from a specific antivirus vendor, e.g. Hydraq,\" said Adam Meyers, director of intelligence at\r\nCrowdStrike, in a blog post, referring to the name of the malware used in the so-called Aurora attacks against\r\nGoogle. \"This is sometimes useful, but when the adversary is using a malware that is detected as\r\nGeneric.Downloader.234, you have a much harder time communicating,\" Meyers said.\r\nCrowdStrike recommends that businesses use its intelligence on online adversaries to identify and focus on the\r\nattackers they're most likely to face. \"For example, if you're in the financial service industry, you'll care about Big\r\nPanda, which is going after financial services firms, but not Karma Panda that's going after dissident groups,\" said\r\nAlperovitch. \"If you're trying to go after everyone and defend against everything, you're really defending against\r\nnothing.\"\r\nFor instance, one group that CrowdStrike has been tracking -- dubbed Anchor Panda -- has launched 124 attacks\r\nover the past six months, many of which appear to be aimed in part at building out deep-sea capabilities. Adam\r\nMeyers, head of intelligence for Crowdstrike, recently told The New Yorker that the information being targeted by\r\nthe group bears more than a passing resemblance to China's five-year plan for modernizing its infrastructure.\r\nOnce businesses have identified the group behind an attack, or used new intelligence to identify previously\r\nunidentified attacks that were successful as well as what was stolen, what happens next? According to\r\nAlperovitch, \"if you want to work with the government, we can help with that as well, on our services side,\"\r\nwhich is headed by Shawn Henry, whose prior job was serving as the executive assistant director of the FBI's\r\ncriminal, cyber, response and services branch. \"Or you take the attribution and take legal action against that\r\nindividual or the company,\" he said. \"A lot of companies are multinationals, so you can actually sue them in the\r\nUnited States -- or in a jurisdiction of your choosing overseas, and get criminal damages or injunctive relief for\r\nstolen information.\"\r\nAlperovitch said that when it comes to responding to hack attacks, there can be strength in numbers: \"If you're one\r\ncompany going up against China, you're going to be afraid of retaliation, of your business being shut out of China.\r\nhttp://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402\r\nPage 2 of 3\n\nBut if you're in a band of 20 or 30 Fortune 100 companies, China can't really retaliate; it needs them all.\"\r\n\"Ultimately we'll only solve this problem together, not individually trying to build castles to protect ourselves,\"\r\nsaid Alperovitch. \"That model hasn't worked in the physical world in over 400 years, and certainly not in cyber\r\nspace.\"\r\nAbout the Author\r\nContributor\r\nMathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.\r\nSource: http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402\r\nhttp://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402" ], "report_names": [ "1110402" ], "threat_actors": [ { "id": "454bf9fe-48e1-4589-99c4-6af37a2fb0d7", "created_at": "2022-10-25T16:07:23.192586Z", "updated_at": "2026-04-10T02:00:04.481671Z", "deleted_at": null, "main_name": "Big Panda", "aliases": [], "source_name": "ETDA:Big Panda", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "76fc6d92-0710-4640-bfa7-3000fe3940a5", "created_at": "2022-10-25T16:07:24.251595Z", "updated_at": "2026-04-10T02:00:04.911951Z", "deleted_at": null, "main_name": "Syrian Electronic Army (SEA)", "aliases": [ "ATK 196", "Deadeye Jackal", "Syria Malware Team", "Syrian Electronic Army", "TAG-CT2" ], "source_name": "ETDA:Syrian Electronic Army (SEA)", "tools": [ "AndoServer", "CypherRat", "SLRat", "SandroRAT", "SilverHawk", "SpyNote", "SpyNote RAT" ], "source_id": "ETDA", "reports": null }, { "id": "15d67627-112e-46f9-a752-083871f1dffe", "created_at": "2023-01-06T13:46:38.636355Z", "updated_at": "2026-04-10T02:00:03.046568Z", "deleted_at": null, "main_name": "BIG PANDA", "aliases": [], "source_name": "MISPGALAXY:BIG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "c6604303-a1c8-4e59-ba12-5da5c0bc6877", "created_at": "2023-01-06T13:46:38.312359Z", "updated_at": "2026-04-10T02:00:02.923025Z", "deleted_at": null, "main_name": "APT14", "aliases": [ "ANCHOR PANDA", "QAZTeam" ], "source_name": "MISPGALAXY:APT14", "tools": [ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT", "Torn RAT", "Anchor Panda", "Gh0st Rat", "Gh0stRat, GhostRat", "Poison Ivy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "25a38dea-d23b-479b-9548-024e955b8964", "created_at": "2022-10-25T16:07:23.305911Z", "updated_at": "2026-04-10T02:00:04.533448Z", "deleted_at": null, "main_name": "Anchor Panda", "aliases": [ "APT 14", "Anchor Panda", "QAZTeam" ], "source_name": "ETDA:Anchor Panda", "tools": [ "AngryRebel", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCRat", "Poison Ivy", "SPIVY", "Torn RAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1", "created_at": "2022-10-25T16:07:23.816991Z", "updated_at": "2026-04-10T02:00:04.758143Z", "deleted_at": null, "main_name": "Lurk", "aliases": [], "source_name": "ETDA:Lurk", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775490859, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7eff071b3c51132bc4677aa5af85f0a64fa39652.pdf", "text": "https://archive.orkl.eu/7eff071b3c51132bc4677aa5af85f0a64fa39652.txt", "img": "https://archive.orkl.eu/7eff071b3c51132bc4677aa5af85f0a64fa39652.jpg" } }