How Chinese APT groups are using ransomware to attack companies

Advanced Persistent Threats activities are one of the main cybersecurity issues facing the world. The group identified as APT27 has been active for nearly a full decade and is popular for its advanced cyber spying campaigns against hundreds of public and private organizations around the world.

This group, also identified as Emissary Panda, Bronze Union or Lucky Mouse, has engaged the operations of defense contractors, drone manufacturers and financial services companies, among other complex organizations.

However, the most recent analyses of this group indicate that they have focused their efforts on economically motivated attacks using ransomware infections. During a recent incident, experts detected the use of the Windows BitLocker tool to encrypt an organization’s servers in an attack similar to the DRBControl campaign, detected in early 2020 and allegedly deployed by APT27 and Winnti, another Chinese hacking group.

DRBControl operators stood out for the use of backdoors against bookmakers, as well as using an ASPXSpy webshell: “We believe there are extremely strong links to APT27/Emissary Panda, in terms of code similarities and TTP,” the Profero security firm report mentioned.

Apparently, the organizations attacked are infected via a third-party provider that was also compromised by this hacking group. Experts are still looking at why hackers use BitLocker, a native tool, to encrypt affected systems.

Experts note that APT27 was not a group focused on earning revenue from these attacks, so the deployment of ransomware campaigns seems really unusual. However, this could be explained by china’s economic context as a result of the pandemic; with fewer resources received from organizations in Asia, the group may have seen in ransomware attacks a constant source of revenue. Some experts have also linked recent Polar ransomware infections to APT27, although there is still evidence to make a certain judgment.