Hammer Panda is a targeted intrusion adversary with a likely nexus to the first Technical Reconnaissance Bureau (TRB) of the Chinese People’s Liberation Army (PLA), located in the former Lanzhou Military Region (MR).
CrowdStrike Intelligence tracks Hammer Panda activity to at least 2013, during which time the adversary has used multiple unique and generic malware families including PlugX, NetTraveler, Saker, DarkSt, and ZeroT.
Historic Hammer Panda activity during the 2013-2014 timeframe has focused on India and related targets, while a shift in targeting at the end of 2014 into 2015 showed a clear focus on Russian-related issues. Hammer Panda operations generally focus on defense-related geopolitical issues which indicates primary targeting in the government and defense sectors; however Hammer Panda has been associated with limited targeting of financial firms as well. .
The most recent Hammer Panda activity was identified by CrowdStrike Intelligence in December 2017, using the ZeroT malware family as part of a Russian-language themed attack. Reduced Hammer Panda activity throughout 2018-2020 may be due in part to widespread restructuring efforts begun in 2015 by the PLA, intended to reorganize Chinese-cyber forces unde the newly formed Strategic Support Force (SSF). These reorganization efforts have led to widely reduced operations from PLA associated adversary groups. CrowdStrike intelligence currently assesses Hammer Panda to be inactive.