China-linked APT 27, which in the past had been observed targeting organizations across the globe with cyber-espionage campaigns, appears to have switched to financially-motivated attacks, according to a new report fr om boutique cybersecurity services company Profero.
APT27 has been active since at least 2010 and is tracked by security firms as Emissary Panda, TG-3390, Iron Tiger, Bronze Union, and Lucky Mouse. The list of the group’s victims includes government organizations, as well as U.S. defense contractors, a European drone maker, financial services firms, and a national data center in Central Asia.
However, recent campaigns against major gaming companies investigated by researchers at Profero, suggest that the hackers have moved to ransomware attacks. One such incident involved the Windows tool BitLocker which was used to encrypt core servers at a compromised organization.
The researchers said they discovered malware samples linked to the DRBControl campaign uncovered by Trend Micro in early 2020 and attributed to Chinese APT groups APT27 and Winnti. The malware in question is a variant of Clambling backdoor used in the DRBControl campaign. Alongside the Clambling backdoor the researchers discovered an ASPXSpy webshell, a PlugX sample, and Mimikatz.
“With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in terms of code similarities, and TTPs,” according to the report.
Profero said that the hackers were able to compromise the target organization via a third-party service provider that too was infected through another third-party service provider.
“What stood out in this incident was the encryption of core services using BitLocker, which is a drive encryption tool built into Windows. This was particularly interesting, as in many cases threat actors will drop ransomware to the machines, rather that use local tools. Previously, APT27 was not necessarily focused on financial gain, and so employing ransomware actor tactics is highly unusual, however, this incident occurred at a time wh ere COVID-19 was rampant across China, with lockdowns being put into place and therefore a switch to a financial focus would not be surprising,” the researchers said.