Ransomware Attacks Linked to Chinese Cyberspies
China-linked cyber-espionage group APT27 is believed to have orchestrated recent ransomware attacks, including one where a legitimate Windows tool was used to encrypt the victim’s files.
Active since at least 2010 and tracked by different security firms as Emissary Panda, TG-3390, Iron Tiger, Bronze Union, and Lucky Mouse, APT27 is known for cyber-espionage campaigns targeting hundreds of organizations around the world.
In addition to government organizations, the group was also observed targeting U.S. defense contractors, a European drone maker, financial services firms, and a national data center in Central Asia, among others.
More recently, however, the cyberspies appear to have switched to financially-motivated attacks. In one such incident, the Windows tool BitLocker was used to encrypt core servers at a compromised organization.
The attack, boutique cybersecurity services company Profero explains in a detailed report, had similarities in code and TTPs with the DRBControl campaign that Trend Micro linked in early 2020 to Chinese APT groups APT27 and Winnti.
Targeting gambling and betting operations in Southeast Asia, DRBControl stood out for the use of specific backdoors, alongside malware such as PlugX RAT, Trochilus RAT, HyperBro backdoor, and the Cobalt Strike implant.
During their investigation of the ransomware attack, Security Joes and Profero researchers identified a backdoor they linked to DRBControl, as well as an ASPXSpy webshell, a PlugX sample, and Mimikatz.
“With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in terms of code similarities, and TTPs,” the security researchers say.
The victim was infected through a third-party service provider that too was compromised through another third-party service provider. Also unusual for a ransomware attack was the use of BitLocker, a local tool, instead of a ransomware family.
“Previously, APT27 was not necessarily focused on financial gain, and so employing ransomware actor tactics is highly unusual, however this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising,” Profero notes.
This, however, does not appear to be a singular ransomware incident attributed to the Chinese hacking group: in late November 2020, Positive Technologies detailed an APT27 attack in which the Polar ransomware was used.