Connect with us

Hi, what are you looking for?



Ransomware Attacks Linked to Chinese Cyberspies

China-linked cyber-espionage group APT27 is believed to have orchestrated recent ransomware attacks, including one where a legitimate Windows tool was used to encrypt the victim’s files.

China-linked cyber-espionage group APT27 is believed to have orchestrated recent ransomware attacks, including one where a legitimate Windows tool was used to encrypt the victim’s files.

Active since at least 2010 and tracked by different security firms as Emissary Panda, TG-3390, Iron Tiger, Bronze Union, and Lucky Mouse, APT27 is known for cyber-espionage campaigns targeting hundreds of organizations around the world.

In addition to government organizations, the group was also observed targeting U.S. defense contractors, a European drone maker, financial services firms, and a national data center in Central Asia, among others.

More recently, however, the cyberspies appear to have switched to financially-motivated attacks. In one such incident, the Windows tool BitLocker was used to encrypt core servers at a compromised organization.

The attack, boutique cybersecurity services company Profero explains in a detailed report, had similarities in code and TTPs with the DRBControl campaign that Trend Micro linked in early 2020 to Chinese APT groups APT27 and Winnti.

Targeting gambling and betting operations in Southeast Asia, DRBControl stood out for the use of specific backdoors, alongside malware such as PlugX RAT, Trochilus RAT, HyperBro backdoor, and the Cobalt Strike implant.

During their investigation of the ransomware attack, Security Joes and Profero researchers identified a backdoor they linked to DRBControl, as well as an ASPXSpy webshell, a PlugX sample, and Mimikatz.

“With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in terms of code similarities, and TTPs,” the security researchers say.

Advertisement. Scroll to continue reading.

The victim was infected through a third-party service provider that too was compromised through another third-party service provider. Also unusual for a ransomware attack was the use of BitLocker, a local tool, instead of a ransomware family.

“Previously, APT27 was not necessarily focused on financial gain, and so employing ransomware actor tactics is highly unusual, however this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising,” Profero notes.

This, however, does not appear to be a singular ransomware incident attributed to the Chinese hacking group: in late November 2020, Positive Technologies detailed an APT27 attack in which the Polar ransomware was used.

Related: Telecom Sector Increasingly Targeted by Chinese Hackers: CrowdStrike

Related: Chinese Cyber-Spies Target Government Organizations in Middle East

Related: China-linked APT Hackers Launch Coronavirus-Themed Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.