APT27
Who is APT27?
APT27 is a threat group that has been linked to China. This group uses tactics consistent with a moderately sophisticated skillset but also demonstrate discipline and an ability to plan and act strategically. APT27 targets very specific groups of victims and will often limit their attacks to only organizations within these groups by blocking requests or access to locations outside of the intended list of targets. Once APT27 gains access to their victims, they escalate privileges by focusing on Microsoft Exchange where most users, if not all, will end up communicating inside and outside the organization.
The strategic web compromises characteristic of APT27 attacks indicate thorough planning and foresight. It requires recognizing the need for strategic attack vectors, researching and understanding good candidates, and finally compromising a third-party website to continue their attack against their final targets. Although the methods of attack and maintaining access are not technically advanced, the ability to sustain consistent methodology and perform adequate planning for the wide variety of targets demonstrates organizational maturity not common within standard criminal organizations.
Ultimately, the access obtained through these techniques is used to exfiltrate sensitive information for strategic purposes in line with China's goals. APT27 will also use access to their victims to gather credentials for additional attacks.
Aliases
- Emissary Panda
- LuckyMouse
- BRONZE UNION
Associated Individuals
Based on the available evidence, researchers have assessed that the attackers are likely "located in the People's Republic of China." [7] Shadowserver has also noticed connections between APT27 and other Chinese APT groups based on similarities in their attacks, techniques, and objectives. The persistence and discipline of APT27 is rare in a field of hungry and aggressive attack groups, whereas Chinese threats tend to be more thorough and methodical.
Notable Attacks
No publicly released or proven attacks linked to APT27
NCC Group and Kaspersky wrote about possible links to APT27. [2][4] Shadowserver believes these specific attacks don't follow the same style and technique as the incidents reported by Secureworks. NCC Group points out the new sample contained debug strings which indicates it is likely still in development. Many production applications contain debug strings and are only run when logging requests that level of information or the developer runs the application with the appropriate switches to see these strings print. Otherwise, debug strings can be contained in an application's code and not indicate anything beyond the developers incoorporating debugging into ongoing development and deployment.
NCC Group also mentions that both samples compared contain different debug strings. When strings or functionality like this is changed, it often means access to the source code in the second instance in addition to the original developers maintaining their own code base of the first sample. This likely means the second attackers modified source code of the malware that they stole or purchased for their own use. To Shadowserver, this means the two groups have relationship of some type but does not prove connection beyond the two groups using and modifying the same tool, HttpBrowser.
Despite similarities in disassembled code, these two instances don't follow previous attacks closely enough for Shadowserver to attribute them to APT27. C2s and IPs related to NCC Group and Kaspersky attacks differ from the cluster of Chinese-related infrastructure used in earlier attacks. We have included the reports for reference and comparison.
Tactics
Secureworks described attacks where the actors conducted multiple strategic web compromises (SWC), which is a technique that focuses on a specific list of companies and websites instead of compromising any vulnerable website. APT27 knew these specific sites would be used by their intended targets. Their preparation and attacks are strictly planned and executed. Once access is obtained, APT27 begins gathering data for exfiltration and credentials to maintain persistent access. The attackers check for continued access to their victims and will use the stolen credentials when backdoors are closed.
APT27 thoroughly researches their targets and prepares each attack for the unique and individual environment of specific victims. Their techniques, while not necessarily advanced, do display adequate funding and resources for ongoing campaigns skilled workers.
Targets
- Manufacturing
- Aerospace (including defense contractors), automotive, technology, energy, and pharmaceuticals
- Education
- Legal
- Organizations focused on international relations
References
[1] - https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
[3] - https://twitter.com/ClearskySec/status/1009753899513860098
[4] - https://securelist.com/luckymouse-hits-national-data-center/86083/
[5] - https://www.secureworks.com/blog/state-of-the-bronze-union-snapshot
[6] - https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox