Security Experts:

Connect with us

Hi, what are you looking for?



Ransomware Attacks Linked to Chinese Cyberspies

China-linked cyber-espionage group APT27 is believed to have orchestrated recent ransomware attacks, including one where a legitimate Windows tool was used to encrypt the victim’s files.

China-linked cyber-espionage group APT27 is believed to have orchestrated recent ransomware attacks, including one where a legitimate Windows tool was used to encrypt the victim’s files.

Active since at least 2010 and tracked by different security firms as Emissary Panda, TG-3390, Iron Tiger, Bronze Union, and Lucky Mouse, APT27 is known for cyber-espionage campaigns targeting hundreds of organizations around the world.

In addition to government organizations, the group was also observed targeting U.S. defense contractors, a European drone maker, financial services firms, and a national data center in Central Asia, among others.

More recently, however, the cyberspies appear to have switched to financially-motivated attacks. In one such incident, the Windows tool BitLocker was used to encrypt core servers at a compromised organization.

The attack, boutique cybersecurity services company Profero explains in a detailed report, had similarities in code and TTPs with the DRBControl campaign that Trend Micro linked in early 2020 to Chinese APT groups APT27 and Winnti.

Targeting gambling and betting operations in Southeast Asia, DRBControl stood out for the use of specific backdoors, alongside malware such as PlugX RAT, Trochilus RAT, HyperBro backdoor, and the Cobalt Strike implant.

During their investigation of the ransomware attack, Security Joes and Profero researchers identified a backdoor they linked to DRBControl, as well as an ASPXSpy webshell, a PlugX sample, and Mimikatz.

“With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in terms of code similarities, and TTPs,” the security researchers say.

The victim was infected through a third-party service provider that too was compromised through another third-party service provider. Also unusual for a ransomware attack was the use of BitLocker, a local tool, instead of a ransomware family.

“Previously, APT27 was not necessarily focused on financial gain, and so employing ransomware actor tactics is highly unusual, however this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising,” Profero notes.

This, however, does not appear to be a singular ransomware incident attributed to the Chinese hacking group: in late November 2020, Positive Technologies detailed an APT27 attack in which the Polar ransomware was used.

Related: Telecom Sector Increasingly Targeted by Chinese Hackers: CrowdStrike

Related: Chinese Cyber-Spies Target Government Organizations in Middle East

Related: China-linked APT Hackers Launch Coronavirus-Themed Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...