State-sponsored Chinese hackers turning to financially motivated attacks, Israeli researchers find

Cybersecurity companies Security Joes and Profero believe APT27 was responsible for attacks on major gaming companies

CTech 16:0204.01.21

A state-sponsored Chinese hacking team is believed to have targeted major gaming companies in a ransomware attack, a new report by Israeli cybersecurity companies Security Joes and Profero revealed on Monday. According to the companies, after an extensive investigation into an incident involving ransomware and the encryption of several core servers, their teams were able to discover samples of malware linked to a campaign reported on by TrendMicro1, known as DRBControl, with links to both APT groups: APT27 and Winnti. APT27 is believed to be a state-sponsored Chinese APT group, focused on cyberespionage and theft of information and data. Following these attacks, the hackers demanded ransom in the excess of $100 million in Bitcoin. However, the sum was never transferred, with Security Joes and Profero managing to thwart the attack and minimize the damage.


This particular campaign revolved around attacks on major gaming companies, with DRBControl first being reported on by TrendMicro and Talent-Jump Technologies at the beginning of 2020 and covering an incident they responded to back in July 2019.

Hacker. Photo: Shutterstock Hacker. Photo: Shutterstock


"What was interesting about this backdoor was its utilization of Dropbox as a Command and Control (C2) server. Our team discovered a very similar sample that we were able to identify as a variant of Clambling, however the sample lacked any Dropbox capabilities. As a result, it could be considered an older variant; or that the threat actors have different variants for different use cases," read the Security Joes and Profero report. "With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in terms of code similarities, and TTPs. What stood out in this incident was the encryption of core servers using BitLocker, which is a drive encryption tool built into Windows. This was particularly interesting, as in many cases threat actors will drop ransomware to the machines, rather than use local tools. Previously, APT27 was not necessarily focused on financial gain, and so employing ransomware actor tactics is highly unusual, however this incident occurred at a time when Covid-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising."


"We estimate that the change in the goals and targets of attacks by the Chinese hackers is the result of the Covid-19 crisis which led to economic uncertainty," added Profero CEO Omri Segev Moyal. "It is likely that the government is seeking alternative solutions for black market money or that the hackers themselves, who had been sitting in the systems for a while, decided it was time to cash out. It is very concerning that during this global crisis more and more countries are violating the balance and choosing to attack the business sector with sophisticated and powerful tools. We saw this trend during the recent attacks from Iran on the Israeli economy. Private companies aren't set up to protect themselves against such forces."


Ido Naor, founder and CEO of Security Joes, also called on companies to improve their protection. "There has been a significant escalation in cyberthreats targeting the business sector over recent months," he explained. "It is likely that this trend will continue and therefore, especially during this period in which many organizations are based on remote work, we recommend to strengthen security and maintain precautionary rules."