Hackers are targeting online gambling companies with ransomware data hijacking programs, under the patronage of the Chinese state, which means a change in the way of operating of the Chinese authorities or these cyberspace criminals.
A report by Israeli cybersecurity firms Security Joes and Profero confirmed that five online gambling operators suffered multiple ransomware attacks earlier this year. The authors of these attacks are part of a group of hackers known as Advanced Persistent Threat 27 (APT27) or Emissary Panda.
The report is based on another report by the firm Trend Micro dated february 2020, which identified a group of hackers that also has the support of China and is known under the alias Winnti or APT41. This group specializes in targeting only online gaming companies and not gambling companies.
In its attacks, APT27 used DRBControl malware, a similar program used to access certain servers. However, APT27 generally focused on corporate espionage activities rather than data related to financial gains.
Another difference from the APT27 attacks is that when accessing the hacked server, the hackers used the BitLocker encryption tool, which integrates with Windows and blocks access to the servers to their legitimate owners, instead of using a custom piece of ransomware.
According to the technicians at Profero / Security Joes, these hackers subsequently demanded US $ 100 million in Bitcoin from the owners of the gaming platforms to proceed with unlocking the servers.
The hackers were unable to obtain a ransom for the release of the servers, because their owners never paid. The security teams of the respective companies were able to access the servers again and restore the data using the backup files.
American cybersecurity expert FireEye claimed in 2019 that Chinese hacker group Winnti, cited in the TrendMicro report, pioneered combining political and commercial cyber espionage activities since 2014.
Although FireEye is not sure that this group “enjoys protections that allow it to carry out its own ends.” Either way, they make very high profits for their illegal activities and perhaps “the (Chinese) authorities are willing to ignore them.”
North Korea could be behind the cyberattacks
Another country that often engages in these types of illegal cyber practices for profit is North Korea. This country ruled by a bloody communist dynasty for decades, established its own network of online gambling sites and has tried to steal Bitcoin from its South Korean neighbor.
Experts say it has indeed. North Korea also tried to steal $ 1 billion from the state of Bangladesh but could only take $ 81 million.
But this does not seem to be China’s motivation to sponsor cyberattacks, because it has far more financial resources than the battered Korean economy. Speaking to the Israeli newspaper Haaretz, cybersecurity researcher Amit Serper revealed that Chinese hackers use the same tactics and tools in their attacks, making their fingerprints easier to trace.
However, it could also be another group of hackers mimicking Chinese attack tactics to mislead. Could it be hackers from North Korea?
It is even possible that the ransomware attack is nothing more than a distraction for Chinese hackers, whose real goal is to disrupt the operations of companies that accept bets from Chinese players on the mainland.
Since last year, China has been fighting a fight against cross-border gambling to prevent capital flight. This could be a way to identify and punish the operators, but also the players themselves, in a way that serves as a warning to others.