China-linked cyber-espionage group APT27 is believed to have orchestrated recent ransomware attacks, including one where a legitimate Windows tool was used to encrypt the victim’s files.
Active since at least 2010 and tracked by different security firms as Emissary Panda, TG-3390, Iron Tiger, Bronze Union, and Lucky Mouse, APT27 is known for cyber-espionage campaigns targeting hundreds of organizations around the world.
In addition to government organizations, the group was also observed targeting U.S. defense contractors, a European drone maker, financial services firms, and a national data center in Central Asia, among others.
More recently, however, the cyberspies appear to have switched to financially-motivated attacks. In one such incident, the Windows tool BitLocker was used to encrypt core servers at a compromised organization.
The attack, boutique cybersecurity services company Profero explains in a detailed report, had similarities in code and TTPs with the DRBControl campaign that Trend Micro linked in early 2020 to Chinese APT groups APT27 and Winnti.
Targeting gambling and betting operations in Southeast Asia, DRBControl stood out for the use of specific backdoors, alongside malware such as PlugX RAT, Trochilus RAT, HyperBro backdoor, and the Cobalt Strike implant.
During their investigation of the ransomware attack, Security Joes and Profero researchers identified a backdoor they linked to DRBControl, as well as an ASPXSpy webshell, a PlugX sample, and Mimikatz.
“With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in terms of code similarities, and TTPs,” the security researchers say.
The victim was infected through a third-party service provider that too was compromised through another third-party service provider. Also unusual for a ransomware attack was the use of BitLocker, a local tool, instead of a ransomware family.
“Previously, APT27 was not necessarily focused on financial gain, and so employing ransomware actor tactics is highly unusual, however this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising,” Profero notes.
This, however, does not appear to be a singular ransomware incident attributed to the Chinese hacking group: in late November 2020, Positive Technologies detailed an APT27 attack in which the Polar ransomware was used.
Related: Telecom Sector Increasingly Targeted by Chinese Hackers: CrowdStrike
Related: Chinese Cyber-Spies Target Government Organizations in Middle East
Related: China-linked APT Hackers Launch Coronavirus-Themed Attacks
More from Ionut Arghire
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
Latest News
- Italy Temporarily Blocks ChatGPT Over Privacy Concerns
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
