Threat Management, Threat Intelligence, Malware, Ransomware

Chinese espionage group APT27 moves into ransomware


Researchers have discovered that the Chinese espionage group APT27 has moved into more financially-motivated cybercrimes, using ransomware to encrypt core servers at major gaming companies worldwide.

In a blog released by Profero and Security Joes, researchers said the team first started following APT27 closely in early 2020 when they responded to the ransomware incident. During that investigation they found malware identified by TrendMicro back in July 2019, which was linked to a campaign by APT27 and Winnti, known as DRBControl. Both groups are linked to China.

The Profero/Security Joes report on the ransomware incidents found extremely strong links to APT27 in terms of code similarities and tactics, techniques and procedures. They said what stood out in this incident was the encryption of core servers using BitLocker, a drive encryption tool built into Windows. The approach was unusual, given threat actors typically drop the ransomware to the machines as opposed to using local tools. What solidified their belief that APT27 had moved into financially-motivated cybercrime was a report in April 2020 by Positive Technologies that found APT27 had also dropped the Polar ransomware on systems.  

Austin Merritt, cyber threat intelligence analyst at Digital Shadows, said the significant use of tooling that has historically been linked to Chinese threat actors suggests it’s realistically possible that APT27 or Winnti could have been responsible for the ransomware actions outlined by the Profero/Security Joes report. Merritt added that other nation-state affiliated APTs such as TA505 (Russia) and Lazarus Group (North Korea) have used ransomware in the past.

“As many ransomware variants are deployed using commodity malware variants, such as TrickBot and Emotet, it’s often hard to pinpoint attribution to one specific APT,” Merritt said. “Given the prominence of ransomware across the threat landscape, it’s likely that financially-motivated nation-state threat actors will use ransomware in future attacks.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.