It is suspected that the China-linked cyber-espionage organisation APT27 has coordinated recent ransomware attacks, including one where the victim’s files were encrypted using a legal Windows tool.
APT27 is known for cyber espionage activities targeting hundreds of organisations around the world and has been involved since at least 2010 and monitored by numerous security firms such as Emissary Panda, TG-3390, Iron Tiger, Bronze Union, and Lucky Mouse.
The party was also observed targeting, among others, U.S. military contractors, a European drone manufacturer, financial sector companies, and a national data centre in Central Asia, in addition to government agencies.
More recently, though, it seems that cyberspies have turned to financially driven threats. The Windows application BitLocker was used in one such event to encrypt main servers in a compromised enterprise.
The attack, explained in a comprehensive study by boutique cybersecurity services firm Profero, had parallels in code and TTPs with the DRBControl operation that Pattern Micro linked to the Chinese APT groups APT27 and Winnti in early 2020.
Targeting gambling and betting practises in Southeast Asia, alongside malware such as PlugX RAT, Trochilus RAT, HyperBro backdoor, and the Cobalt Strike implant, DRBControl stood out with the use of specific backdoors.
During their analysis of the ransomware attack, Security Joes and Profero researchers found a backdoor they connected to DRBControl, as well as an ASPXSpy webshell, a PlugX sample, and Mimikatz.
“With regard to who is behind this particular infection chain, in terms of code similarities and TTPs, there are extremely strong links to APT27/Emissary Panda,” the security researchers claim.
The survivor was tainted by a third-party service provider that too was compromised by another third-party service provider. The use of BitLocker, a local tool, instead of a ransomware community, was also uncommon for a ransomware attack.
“Previously, APT27 was not necessarily focused on financial gain, so it is highly unusual to employ ransomware actor tactics, but this incident occurred at a time when COVID-19 was rampant across China, with lockdowns being put in place, so it would not be surprising to switch to a financial focus,” Profero says.
This, however, does not appear to be a single instance of ransomware linked to the Chinese hacking group: Optimistic Technology outlined an APT27 attack in which the Polar ransomware was used in late November 2020.