Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China.
A well-known Chinese state-backed APT group is believed to have been responsible for multiple ransomware attacks against firms last year, according to new research.
Researchers from security firms Profero and Security Joes linked a series of ransomware attacks to the China-linked APT27 group.
Although the attacks lack the sophistication normally seen with advanced threat actors, there is strong evidence linking them to APT27, a group normally involved in cyber espionage campaigns, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse.
The APT group has been active since 2010, targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia.
The attacks happened in 2020 and directly targeted at least five companies in the online gambling sector that operate globally and successfully encrypted several core servers.
The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups.
While these were ransomware incidents in earnest, the threat actor relied on BitLocker, the drive encryption tool in Windows hackers used BitLocker to lock the servers.
The researchers from cybersecurity firms Profero and Security Joes responded to these incidents and found that the hackers reached their targets through a third-party service provider, which had been infected through another third-party provider.
They found samples of malware linked to the DRBControl campaign which targeted major gaming companies and is associated with two well-known Chinese-backed groups, APT27 (aka Emissary Panda) and Winnti.
Specifically, they claimed to have detected an older version of the Clambling backdoor used in that campaign, an ASPXSpy web shell previously used by APT27, and the PlugX RAT which is often used in Chinese attacks.
Other malware found on infected computers includes the PlugX remote access trojan, regularly mentioned in cybersecurity reports about campaigns linked to China.
Although Winnti is known for financially motivated attacks, APT27 is generally more focused on data theft. However, the latter has previously been linked to one ransomware attack, featuring the Polar variant.
Researchers at Positive Technologies attributed a Polar ransomware attack from April 2020 to APT27, based on the use of malware normally used by this group.
The attacks against the five companies in the gambling sector were not particularly sophisticated and relied on known methods to evade detection and move laterally.
ASPXSpy was deployed for lateral movement and PlugX and Clambling were loaded into memory using a Google Updater executable vulnerable to DLL side-loading.
Popular open-source tool Mimikatz was also used in the attack and a publicly available exploit for CVE-2017-0213 was used to escalate privileges.