"We're tracking over a dozen nation-state groups right now that are affiliated with China," says Dmitri Alperovitch, chief technology officer for CrowdStrike, a startup cybersecurity company focused on taking undisclosed "offensive" security measures. "We have a deep understanding of them and attribution down to the individual level. They're operating in China, and we're watching them. Even though they're unlikely be brought to justice in the US, we understand a lot today."
Among the 20 or so identifiable Chinese cyberespionage groups, the two that dwarf the others are the Elderwood Gang and the Comment Crew. The two have many different names, with researchers giving them different monikers. To Dell Secureworks cyber counterspy expert Joe Stewart, they are the Beijing Group and the Shanghai Group because of where their activities seem to originate. To Mr. Alperovitch of CrowdStrike, they are Sneaky Panda and Comment Panda.
Symantec called the first group “Elderwood” because the name appears in a source-code variable used by the attackers. In Google's case, the gang reportedly made off with at least some of the search company's source code – secret algorithms that have made it so successful. Nobody knows exactly how much was stolen from the networks of the other companies.
Today, 2-1/2 years later, Google has abandoned the Chinese market, but Elderwood is alive and doing quite well, its cyberspies busy as ever, the Symantec analysis shows. Second-tier defense industry suppliers that make electronic or mechanical components for top defense companies are the gang's specialty. Those firms then become a cyber "stepping stone to gain access to top-tier defense contractors," the report says.
But Elderwood's appetite for information is broad and its capacity far larger than the defense industry alone. So, in at least eight major "campaigns" in less than two years, the gang has slipped into the networks of US shipping, aeronautics, arms, energy, manufacturing, engineering, electronics, financial, and, of course, software companies, Symantec reports.