Abstract

The categorical label of organized crime is routinely attached by journalists and news agencies to headline cyberattacks. Whether these are valid and not sensationalized for syndication is often difficult to ascertain upon initial analysis. Emissary Panda, one of these purported organized cybercrime threats from China, was chosen for examination under definitional scrutiny. When its acts were deconstructed and compared to theoretical constructs, there remained little legitimacy for the label. Given the lack of evidence upon its human structure, interpersonal relations, and target profits, such a classification is fallacious. When compared within the greater context of cybercrime and the Chinese state, a considerable amount of anecdotal evidence arose to suggest that the actions of Emissary Panda more accord with terrorism and espionage with its political targets. Nonetheless, these terms and that of organized crime cannot be accurately affixed to Emissary Panda based on available evidence.

Introduction

The notoriety of Chinese cybercrime has scaled to a global context, entering the mainstream and becoming apart of the vernacular (Bertrand, 2014). Despite mass syndication, there is remarkably little evidence illuminating its origins. Even in spite of its impact on the security of information systems, the human actors behind these incursions remain invisible. Like most digital manifestations of deviance, theses acts are conducted by anonymous agents (McGuire & Dowling, 2013). Emissary Panda is one of the sources of this suspect activity and has received considerable recognition by media outlets in recent years (Schlesinger, 2014). With Emissary Panda, like many other large-scale cyber operations, the categorical labels of organized crime, organized cybergroup, and variations thereof, have been used to describe what can only be seen factually as only a coded entity (Lemos, 2014; Schlesinger, 2014; Wilson, 2014).
A macro-analysis of the literature on Emissary Panda yields only marginal material to support the terminological claim. There is no definitive evidence describing its internalities. Even the group name, Emissary Panda, is not self-proclaimed. Rather, it is an eponym assigned by CrowdStrike, an American digital security corporation, after its motif political targeting, government agencies, and purported geographic origination, China (Wilson, 2014).

In this paper a critical case analysis of Emissary Panda will be made to determine if it is related in any characteristic manner to organized crime and whether categorical labels are valid across the definitional spectrum. The argument structure will be a follows. First, clear definitional parameters for organized crime will be given to create a theoretical framework. Then a summary of the documented actions attributed to Emissary Panda will ensue. A subsequent point-by-point deconstruction of these actions will be compared to the ascribed theoretical framework. Afterwards, Emissary Panda will be re-injected to the larger context of cybercrime, particularly that endemic to China, to see if major disparities or variances exist. A synthesis will then be made where a final analytical assessment will be rendered.

Definition of Organized Crime

It is questionable whether such associations of Emissary Panda to organized crime are appropriate. Unfortunately, organized crime fails to have rigid definitional parameters, making the determination less apparent. There is no consensus as to what it entails and thus the matter is open for argumentation.
In academia, what have been deemed accurate and encompassing definitions are merely those reused with marginal frequency and not subject to excessive criticism. Recurrent patterns emerge, but there are no formulae (Hagen, 2006; Finckenauer, 2005). Countless pieces of scholarship have been published that discuss the absence of a real construct to the current use of the term with semantic consistency (Von Lampe, 2006). Meta-analyses prove to be the most insightful as they bring synthesis to the general dispersion of meaning and description frequencies of common attributes are of particular utility. Even still these do not proffer any answers as to what organized crime exactly is, rather they are more useful in determining what it definitively isn’t. For the deconstruction of Emissary Panda, this is sufficient. The use of explicit legalistic definitions are unnecessary as they are incorporated conceptually within these attributes.

Taking the highest frequency factors from the organized crime definition meta-analysis by Hagan, which are found in contemporary topical studies, the below characteristics are deemed necessary components (2006).

  • OCma.1) Continuance of hierarchy
  • OCma.2) Profit from illegal enterprises
  • OCma.3) Use or threat of violence
  • OCma.4) Utilization of corruption

The points on this list are neither ranked in order of importance nor are they exhaustive. These have relevance as they are utilized in many academic constructs, being mentioned in similar well-circulated definitional critiques by practitioners (Von Lampe, 2006; Finckenauer, 2005). Thus, continual emphasis will be put on these key attributes for they are common academic requisites.
During the deconstruction of Emissary Panda, all statements and deductions were made based on the relevant data publicly available. No special permissions were granted in sourcing any of the data and the preponderance of which was available through online databases and the greater world wide web. In selecting the materials presented, precedence was given to legitimate research sourcing, with anecdotal evidence used sparingly. Some was included to offer additional perspective upon an otherwise under researched topic area. This is the functional approach upon which the following analysis was made

Emissary Panda Description

Emissary Panda is eponymous to the nature and origin of its attributable acts (Wilson, 2014). The activity foci of this Chinese entity has been largely upon the sensitive document libraries, including those uniquely contained within foreign embassies (CrowdStrike, 2013). The valued material can be categorized largely as classified defense ordinances and technological patent secrets. It has pragmatically chosen embassies as its target of preference as they represented isolated international data portals that link successful infiltrators to the native databases (Wilson, 2014).

Although their targeting calculus can be presumed to be based on discovery of exploitable security vulnerabilities, the common modus operandi has included strategic web compromise (SWC) schemes, also referred to commonly as watering hole attacks. It is a tactic whereby legitimate websites have been altered inconspicuously to allow for otherwise normal traffic while malicious code is implanted on visiting computers when after completion of criterion actions (Dulaney, 2011). These SWCs techniques have become more frequent as simple phishing can be easily stymied through common counter operating mechanisms (Brayley & Bernard, 2014). As SWCs are much harder to thwart, requiring robust, reflective web architectures, it arguably a more sophisticated tactic (CrowdStrike, 2013).

Emissary Panda’s most notable attack was its SWC attack on the U.S. Department of Labor. In this case, malware was created that exploited a user-after-free vulnerability in certain versions of Microsoft Internet Explorer (Waugh, 2013). With this, specific executions of JavaScript and PHP script would be initiated in stealth and, if completed, would download a modified version of Trojan program called Poison Ivy. The changes posited to make it less detectable to most mainstream computer security suites and scanners, again allowing it greater spatiotemporal penetration in the raw data sphere. As stated by VirusTotal, only 13 out of the 46 antivirus scanners discovered the intrusion and put it subject to quarantine (Rashid, 2013). What is interesting about this case is despite its crippling effects, many investigators had difficulty associating the activity to any particular group. Besides Emissary Panda, Deep Panda was the other major culprit suspected, although intelligence and network linkages put this assumption to some ambiguity (CrowdStrike, 2013).

The other notable SWC-styled attacks occurred some months after the Department of Labor strike. First, the Spanish-based defense corporation Amper was attacked, then, two weeks later, the Russian embassy in the United States (CrowdStrike, 2013). The Amper corporate website had a malignant Microsoft Word document attached as content onto its website, but fictitious JavaScript code was inserted onto numerous pages of the Russian Embassy website, an operational parallel to the Department of Labor case. Execution of each malicious mechanism called for the download of malware (Rashid, 2013). The impacts of all these attacks were not fully disclosed.

In total, CrowdStrike attributes five other website hacks to Emissary Panda in 2013. This is the summary of their targeting and the common exploit utilized in each.
Among them were five high-tech and defense technology companies in different countries, two sites of foreign embassies in the United States, and one site of an independent political peace organization. All these sites have in common that they use jQuery, a JavaScript library for HTML document processing (CrowdStrike, 2013).

The fact that all these SWC incursions were facilitated by jQuery loopholes does build evidence for a modus operandi, but again, there remains no who in this attack. Without unique code structures, IP traces, or any revealing communications, there are no human identifiers to the actions of Emissary Panda despite its consistent history of action (Schlesinger, 2014).

The brief summaries of these actions make it seem that they could have been orchestrated by an organized crime syndicate given the planning required to attack these secure targets. The damages to the web architecture and databases also make it seem the information stolen through the malware was for its strategic value. Still the adage correlation does not equal causation applies.

Emissary Panda Definitional Analysis

  • OCm.1) Continuance of hierarchy

There is no mention of hierarchy in any of the literature readily available. Based on the scope and protracted timeframe of the three highlighted cases, two occurring within days of each other, it is doubtful that a sole perpetrator could be suspect (Rashid, 2013). It is likely that these actions were at least orchestrated by the efforts of a small group of individuals working in collusion. The clear induction then is that Emissary Panda is comprised of multiple individuals that work together collaboratively in an organized manner, but this again is an assumption and there is no direct evidence to support this. Certain definitions of organized crime do not include hierarchy per se but require a discernable human network, with at least an informal connectedness between members (White House, 2011). This still is not applicable.

  • OCm.2) Profit from illegal enterprises

The targeting of embassies and government agencies are not typically thought of sources of monetary income. They are connected to larger nation states and are responsible for international diplomacy efforts and management of citizens aboard (Rana & Chatterjee, 2011). Critical data is stored within these systems act as tangible portals into much larger data pools. Most of the information is specific to the requirements and needs of the governments in these nations (Wilson, 2014). From a national security standpoint, defense data including tactics and weapons designs would seem of high international black market value, but the known acts of Emissary Panda cannot be clearly determined as that of high liquidity and for easy sale (Eftimiades, 1994). This presents the funding dilemma.

  • OCm.3) Use or threat of violence

Violence does not apply directly in cybercrime, or not at all if a strict definitions are applied. Nonetheless, in the information age, data is tangible. Defense information leaked and infected software could very well potentially lead to life endangering situations as society becomes more reliant on information systems (Chander et al, 2008). Still, it has not been demonstrated that any of these incursions have led to violence generating situations.

  • OCm.4) Utilization of corruption

The databases of numerous bodies have been corrupted, or made insecure, but this term refers to the use of government agencies to hide and promote organized crime activity. Emissary Panda clearly has attacked government agencies, but there does not appear to be any mention of extortion or protection by a government body, a common requirement (Hagen, 2006).

  • Summary

Based on the information provided in the Description subsection, it becomes evident that knowledge upon Emissary Panda only extends to its actions. The evidence is only upon effect, the causes remain unknown, the driving purposes and ideologies are but conjectures. There is no preponderance of evidence to make a valid argument that Emissary Panda constitutes an organized crime group as these attributes are no inferential cash flows or remarks on the behaviors of personnel. Proof of existence even as a singular entity is based solely upon anecdotes that are derived from undisclosed forensic reviews upon SWC incidents (CrowdStrike. 2013). The linkages between occurrences is attributed only on similar modi operandi. Even the evidence to substantiate group behavior is circumstantial and weak, a major definitional contingency. To understand the issue more fully, it is necessary to make a contextual analysis and put it in a greater comparative framework.

Illicit Computing and China Global Context

No organized crime group exists independent of its environment. For cybercrime, the interconnectedness of computing systems around the globe reveals an information rich domain that can be utilized for ulterior means. By the nature of internet protocol and networking schemes, there are no physical jurisdictional boundaries for users, only monitoring agencies are readily constrained by these geographic borders (Goodman, 1996). China is known to be a major genesis of domestic and international cybercrime (Broadhurst, 2015; Gu, 2014). A 2011 industry estimate of overall damage caused by the Chinese underground economy was 832 million USD. With 514 million active internet users in China, it is the largest and densest plexus of digital data exchange per capita (Jianwei et al., 2012). When these figures are compared against the global damage estimation of 12.5 billion USD, it suggests there are major measurement discrepancies exist and that the true numbers are unknown (Brayley & Bernard, 2014).

The major problem with associated cybercrime figures, though is only a traditional definition of cybercrime it used, that inclusive of the dependent and enabled actions division. Dependent cybercrime is activity that can only be conducted with a computer, enabled constituting computerized facilitations of physical offenses (McGuire & Dowling, 2013). The conceptual division is not always abundantly clear, as the same digital toolsets are used, but the separating factor is the level of abstraction between the crime and the human offender (Brayley & Bernard, 2014). Both are monetary and power driven. Even still, this separation does not constitute the real definitional dilemma of cybercrime. The issue is not in action, but in targeting, for the latter does not fully assume issues of political and national security dimensions (Brayley & Bernard, 2014).

When considered, there pertains to be a qualitatively different class of crime outside this construct. With apparent political agendas, actions of the latter category may warrant the inclusion with terrorism and espionage (Broadhurst et al., 2014). Targets being state bureaucracies and vital industry, the goal arguably is not financial gain, but geopolitical security compromise and destabilization (Schlesinger, 2014).
It must be noted that China has recently overtook the United States as the world’s largest singular economy and its growth displays no sign of waning with the purported average economic growth rate near double digit figures (Duncan & Martosko, 2014). In the decades now subsequent to its policy shift to a market-oriented economy, it has finally entered the realm of high tech, transcending the simple manufacture of cheap consumables. It has been rapidly modernizing its infrastructure to compete with the likes of Western countries (Caose & Wang, 2012). A key part of this strategy has been acquisition of foreign patents and trade secrets (Eftimiades, 1994). This is partially to allow its industries to compete on technological parallels to world-leading counterparts, but also in an effort to bolster national defense (Bertrand, 2014).

Cyber Espionage

There is no officially announced policy by Beijing to orchestrate mass data incursions, but there is significance evidence to attest to it being a state directive (Rogers & Ruppersberger, 2012). Chinese intelligence has been known to be stylistically proletarian and motivated in unbounded data collection, different from other forms of espionage (Inkster, 2013). The main case that brings up this element is upon Unit 61398, which was previously regarded as an organised crime group called Putter Panda (Betrand, 2014). An investigation spearheaded by the U.S. Department of Justice confirmed it to be apart of the cyberwarefare division of the People’s Liberation Army. As of May 2014, five of the members have been charged in absentia for industrial espionage. Many of their intrusions were into classified databases of the U.S. and European defense industries (Broadhurst et al., 2014).

Its actions are not dissimilar to Emissary Panda and numerous other dubbed Chinese organised cybercrime groups which begs the question of association to Beijing. None have undergone the same level of formal investigative scruity. Axiom, Deep Panda, Elderwood Group, GhostNet, Violin Panda, and Wet Panda are just some of the other seeming imitators of Unit 61398 (Lemos, 2014). Arguably none have made overt political agendas, remaining stealth in their actions, but it is de facto by traces of their actions.

Conclusion

Emissary Panda committed acts of a premeditation and scope that required organization and technical proficiency. When combined with the timescale of these acts, logic would dictate that there must be collective efforts, but there is no data upon an internal network or hierarchy (Schlesinger, 2014). All the stolen, manipulated, and compromised data would not typically be of value to a traditional organized crime group or any financially driven criminal entity (Rana & Chatterjee, 2011). There were no threats or use of violence per se, but the actions all were damaging to the hosts.

Emissary Panda has no discernable ties to the government of The People’s Republic of China. There are no traceable communications between the two entities, no apparent linkage to be ascertained. Only from journalistic anecdote, modus operandi comparisons with other criminal groups, and target analysis can the association be made. There certainly exists a cyber espionage context that Emissary Panda accords well with, its very name insinuates connection, but without definitive evidence, no judgment can be made. There is only moderate information to support the threat or use of violence component of the organized crime definition, rendering only one of the four total characteristics met. With only descriptive evidence of Emissary Panda’s acts, there are but digital footprints. It must be said that although this remains an abstract digital entity, with no face or name of its own, it regardless constitutes a tangible threat to international web security.

Sources

Bertrand, N. (2014). These Are The Hacker Groups That Should Be Keeping You Up At Night. Business Week. Retrieved From: http://uk.businessinsider.com/hacker-groups-you-should-be-worrying-about-2014-10
Brayley, H. & Bernard, R. (2014). Cyber Crime. Perspectives On Organized Crime. University College London. London.
Broadhurst, R., Grabosky, P., Alazab, M., & Chon, S. (2014). Organizations And Cyber crime: An Analysis Of The Nature of Groups Engaged In Cyber Crime. International Journal of Cyber Criminology, 8(1).
Chander, A., Gelman, L., & Radin, M. J. (2008). Securing Privacy in the Internet Age. Palo Alto, California, United States: Stanford University Press.
Coase, R., & Wang, N. (2012). How China Became Capitalist. New York, NY: Palgrave Macmillan.
CrowdStrike. (2013). CrowdStrike Global Threat Report: A Year In Review 2013. CrowdStrike, (1)1, 1-32.
Dulaney, E. (2011). CompTIA Security + Study Guide Authorized Courseware: Exam SY0-301. Hoboken, NJ: John Wiley & Sons.
Duncan, H. & Martosko, D. (2014). America Usurped: China Becomes World’s Largest Economy, Putting U.S. In Second Place For the First Time In 142 Years. Daily Mail. Retrieved From: http://www.dailymail.co.uk/news/article-2785905/China-overtakes-U-S-world-s-largest-economy-IMF-says-economy-worth-17-6trillion-America-falls-second-place-time-1872.html
Enck, J. L. (2003). United Nations Convention against Transnational Organized Crime: Is It All That It Is Cracked up to Be-Problems Posed by the Russian Mafia in the Trafficking of Humans. Syracuse J. Int’l L. & Com, 30, 369.
Eftimiades, N. (1994). Chinese Intelligence Operations. Annapolis, Maryland: Naval Institute Press.
Finckenauer, J. O. (2005). Problems Of Definition: What Is Organized Crime? Trends In Organized Crime, 8(3), 63-83.
Goodman, M. D. (1996). Why The Police Don’t Care About Computer Crime. Harv. JL & Tech., 10, 465.
Gu, L. (2014) Cyber Criminal Underground Economy Series: The Chinese Underground in 2013. Irving, Texas: Trend Micro.
Gu, L. (2013). Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market. Irving, Texas: Trend Micro.
Hagan, F. E. (2006). “Organized Crime” And “Organized Crime”: Indeterminate Problems Of Definition. Trends In Organized Crime, 9(4), 127-137.
Hjortdal, M. (2011). China’s Use Of Cyber Warfare: Espionage Meets Strategic Deterrence. Journal of Strategic Security, 4(2), 2.
Holt, T. J. (2013). Exploring The Social Organisation And Structure Of Stolen Data Markets. Global Crime, 14(2-3), 155-174.
Inkster, N. (2013). Chinese Intelligence In The Cyber Age. Survival, 55(1), 45-66.
Jianwei, Z., Liang, G., & Haixin, D. (2012). Investigating China’s online underground economy. University of California Institute on Global Conflict and Cooperation.
Lemos, R. (2014). Global Cyber-Attackers Diversifying Their Techniques: CrowdStrike. eWeek. Retrieved From: http://www.eweek.com/security/global-cyber-attackers-diversifying-their-techniques-crowdstrike.html
Lintner, B. (2004). Chinese Organised Crime. Global Crime, 6(1), 84-96.
McGuire, M., & Dowling, S. (2013). Cyber crime: A Review Of The Evidence. Home Office Research Report 75 .
Rana, K. S., & Chatterjee, B. (2011). Economic Diplomacy: India’s Experience. Jaipur, India: CUTS International.
Rashid, F. (2014). CrowdStrike Takes On Chinese, Russian Attack Groups in Threat Report. Security Week. Retrieved From: http://www.securityweek.com/crowdstrike-takes-chinese-russian-attack-groups-threat-report
Rashid, F. (2013). Department of Labor Website Hacked to Distribute Malware. Security Week. Retrieved From: http://www.securityweek.com/department-labor-website-hacked-distribute-malware
Rogers, M., And Ruppersberger, C. D. (2012). Investigative Report on the US National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE: A Report. US House of Representatives.
Schlesinger, Jennifer. (2014). From ‘Kitten’ To ‘Panda’: Dangerous Hack Groups To Avoid. CNBC. Retrieved From: http://www.cnbc.com/id/101363114#.
Schwartz, M. (2011). Treat Hackers As Organized Criminals, Says Government. Information Week: Dark Reading. Retrieved From: http://www.darkreading.com/risk-management/treat-hackers-as-organized-criminals-says-government/d/d-id/1100052?
Von Lampe, K. (2006). The Interdisciplinary Dimensions Of The Study Of Organized Crime. Trends in Organized Crime. 9(3), 77-95.
Waugh, R. (2013). Watering Hole Attack On Department Of Labor Site ‘Exploited New IE8 Vunerability.’ We Live Security. Retrieved From: http://www.welivesecurity.com/2013/05/07/watering-hole-attack-on-dept-of-labor-site-exploited-new-ie8-vulnerability/
White House. (2011). Strategy To Combat Transnational Organized Crime: Addressing Converging Threats to National Security. Washington, DC: U.S. Government Printing Office
Wilson, T. (2014). Politically Motivated Cyberattackers Adopting New Tactics, Report Says. Dark Reading. Retrieved From: http://www.darkreading.com/attacks-breaches/politically-motivated-cyberattackers-adopting-new-tactics-report-says/d/d-id/1141196?

Advertisements