A Chinese hacking group broke into a national data center in Mongolia late last year in an expansive cyber-espionage campaign that allowed the attackers to quietly plant malware into government websites, according to a new research report by Kaspersky Lab and supplemental analysis provided to CyberScoop.
According to Kaspersky’s latest research, a known Chinese hacking group used watering hole-style attacks and spear phishing emails to breach specific employees of the Mongolian data center. After gaining individual access, they leveraged those accounts to gain additional control over the facility’s infrastructure.
The episode began around October 2017. It was discovered by Kaspersky in March 2018. The Chinese speaking group that’s responsible is widely linked to Beijing. It’s tracked by the cybersecurity community under different names, including APT27, EmissaryPanda, IronPanda and LuckyMouse. They’ve been known to also target U.S. defense contractors.
The Kaspersky report does not list Mongolia as the victim, but instead refers to it more ambiguously as a “Central Asia” country. A source familiar with the report revealed that country as Mongolia. The person spoke to CyberScoop on condition of anonymity to offer insight that the company chose not to publish.
In the past, APT27 has been tied to both government spying and financial crime, including bitcoin mining efforts. There are other cases where Chinese government-backed hacking groups appeared to be double-dipping; making money on the side while also conducting traditional intelligence missions.
It’s rare to see hackers breach an entire national data center though, especially to this degree.
“The most unusual and interesting point here is the target. A national data center is a valuable source of data that can also be abused to compromise official websites,” Kaspersky senior security researcher Denis Legezo wrote.
In some cases, compromised machines also received a remote access trojan (RAT) known as “HyperBro,” which provided customized controls to further manipulate or steal secrets from systems.
“There were traces of HyperBro in the infected data center from mid-November 2017. Shortly after that different users in the country started being redirected to the malicious domain update.iaacstudio[.]com as a result of the waterholing of government websites,” a Kaspersky blog post reads. “These events suggest that the data center infected with HyperBro and the waterholing campaign are connected.”
Researchers found that the attack server behind these Mongolian government breaches was mysteriously located in Ukraine. More specifically, the command and control (C2) could be tied back to a hacked Mikrotik router running old firmware. The hackers likely leveraged this Ukrainian machine in order to obfuscate their activities. It’s not yet clear how the hackers owned the Mikrotik router.
Multiple critical vulnerabilities in Mikrotik systems have been reported in recent months.
Historically, Mongolia and China maintain a complicated relationship.
China is one of Mongolia’s biggest trade partners and regional allies; almost 90 percent of Mongolia’s exports go to China, according to one study. But Beijing is also known for its persecution of ethnic and religious minorities, including buddhists, muslims, shamanists and others. Buddhism is the most prevalent religion in Mongolia.
In late 2017, around same the time that APT27 breached the aforementioned government data center, Chinese President Xi Jinping had just won re-election. Months earlier, Mongolia also had an election where their current President Khaltmaa Battulga dominated by riding a populist wave driven by anti-China rhetoric. At the time, some foreign policy experts predicted that Mongolia would shift their economic dependence towards Russia.