Two Israeli cybersecurity firms claim to have thwarted an attempted cybercrime attack against five of the world’s leading online gaming and gambling firms. The attackers, which the firms say are Chinese or linked to a Chinese hacker group, demanded over $100 million in ransom after encrypting data from the different companies, according to a case report study published Monday by Profero and Security Joes.
The ransom was not paid and the attack did not succeed, while the gaming and gambling companies managed to restore their data from backups and bounce back from the attack, the cybersecurity firms said.
The attack by hackers linked to the Chinese government, the firms say, is part of a wider trend in which “states deploy their powerful cyber capabilities against private companies.” In this case, workers in the gaming companies or those working in software firms used by them were targeted, allowing the hackers to enter their system indirectly, through what is termed a “supply chain.”
As is usually the case with cyberattacks, attribution is done by linking the tactics, techniques, procedures and targets of a certain attack to previous ones. In this case, the attack was linked back to a group called Emissary Panda, or Advanced Persistent Threat 27 – APT27.
APT is an industry term for naming state or state-sponsored hackers. For example, the Russian hacking campaign against the Fireye firm and SolarWinds software used by American governmental organizations was attributed to a group labeled APT29.
According to the Israeli firms, this attack against gaming firms is a change for APT27, which they say is funded by the Chinese government and is usually “focused on cyberespionage and theft of information and data [and] commonly targets government organizations, defence sectors, and more.”
In fact, an offshoot of this group, known as Winnit or APT41, was in the past involved in Chinese state-sponsored espionage activity and was even accused by Fireye in 2019 of spying on global tech, communications and health care providers for the Chinese government. China has denied such allegations repeatedly.
- A shady Israeli intel genius, his cyber-spy van and million-dollar deals
- China is the Middle East's rising power. Israel must tread carefully
- Iranian cyberattack claims new victim – and Israeli hackers vow revenge
Past incidents like these are how the firms managed to link this operation back to the Chinese group: One of the tools used as part of the hack bore the tradecraft seen in previous incidents. “APT27 was not necessarily focused on financial gain [in the past], and so employing ransomware actor tactics is highly unusual, however this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus is not surprising,” their report said.
Western intelligence officials told Reuters last April that Chinese hacking groups were increasingly pursuing commercial crimes alongside their state-backed operations. These findings were confirmed by the two Israeli cybersecurity firms that managed to track the hackers’ digital fingerprint to tools used in previous incidents attributed to China.
“It is reasonable to assume that the Chinese government or even just its hackers are looking for alternative sources of income,” explains Profero’s Omri Segev Moyal, noting the attack took place at the height of the coronavirus pandemic.
Prominent Israeli cybersecurity researcher Amit Serper, who currently serves as VP of research for Guardicore in North America, was asked to review the report and said that technically speaking, it was “solid.” Serper notes that attribution to state actors is extremely difficult, but he says the tools and methods described in this case are in line with what is known about this group.
“Neither I nor anyone can say if this is a Chinese soldier or officer from one of their cyber divisions doing this as part of their ‘day job,’ or some hacker moonlighting after work as ‘extracurricular’ activities,” he says.
Serper explains that with state-linked ransom attacks, many times the purported financial motives are actually an attempt to conceal the attackers’ true intentions: “With state-linked ransom attacks, there’s always a chance it’s also a cover-up.”
“We know that in North Korea, a country with a serious cash flow problem, ransom attacks by state hackers are used for income. However, with China, which has a massive economy, the ransom demand may only be a diversion tactic meant to cover their tracks,” he says. Ransom attacks follow a similar modus operandi that usually sees the victim’s entire system encrypted in return for payment. “This also means encrypting their tradecraft, which could reveal some new tools they want to keep secret, or even who they really are,” he adds.
In fact, he notes that in the field of cybersecurity, Chinese hackers are usually relatively easy to identify “because they use the same techniques and procedures, and research of previous attacks has allowed us to learn that there are different groups operating under the Chinese authorities for different types of targets.” For him, this also makes China an easy target for those wanting to hide their tracks: “We have seen in the past attacks that were so identical in their modus operandi to the Chinese attacks that we suspected – and later proved – that it was a false flag operation by another nation.”
Though reluctant to speculate on the attack’s real intention, he says that if indeed it is a state operation, perhaps its goal was to collect information about users, as gaming companies can be a trove of personal data, ranging from credit cards to email addresses. However, he also does not rule out that this was an attempt by China to launder money online – “we just can’t be certain,” he explains, stressing he only reviewed the report and not the materials behind it.
He explains that in general, while Russian state hackers tend to aim for “high quality targets, Chinese hackers tend to work at scale,” adding that Chinese cyber ops are usually more “smash and grab operations. Technologically speaking, this is not even in the same league as SolarWinds,” he says, referencing the Russian hack.
According to Segev Moyal, “it is concerning that a global crisis is being exploited by more and more nations to target private companies with their powerful capabilities. This is a trend we’ve also seen here recently, with the Iranian attacks on the Israeli market. Private companies are just not prepared to deal with a state-level threat,” he adds.
Ido Naor, who leads Security Joes, adds that “there is a certain radicalization in the level of threats the private sector has faced in recent months. It is safe to assume this concerning trend will only continue,” he said, urging companies to protect themselves and their workers working remotely.