Menu
Browse

Cyber Threat Actor: APT27

Aliases: 5 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
1 incident
Profile

Iron Tiger and Iron Panda are aliases used to refer to a Chinese‑speaking threat actor that is publicly linked to Beijing and tracked under additional names such as APT27, EmissaryPanda and LuckyMouse. The actor’s location is identified as China, and it is described as a sophisticated Chinese‑linked group in multiple sources. Public reporting ties the actor to Beijing‑based operations and notes its activity spans several years, with connections to both espionage and financially motivated intrusions.

The actor’s targeting has been observed against government institutions in Mongolia, where it breached a national data center and planted malware on official websites, and against U.S. defense contractors, indicating a focus on governmental and defense sectors. Its strategic objectives include cyber‑espionage, as demonstrated by the covert insertion of malware into government networks, and financial crime, given past associations of APT27 with financially driven campaigns. Geographic focus includes Mongolia and the United States, reflecting the actor’s interest in both regional adversaries and overseas targets.

Noted tactics involve watering‑hole style attacks and spear‑phishing emails to compromise specific employees, after which the actor leverages those credentials to expand control over the compromised infrastructure. The Mongolian data center breach relied on exploiting critical vulnerabilities in Mikrotik routers, with the attack server traced to Ukraine. Representative operations include the October 2017‑to‑March 2018 campaign against Mongolia’s national data center, the suspected involvement in the ICAO incident where the hacker was described as likely a member of Emissary Panda, and repeated targeting of U.S. defense contractors. These activities illustrate the actor’s use of credential harvesting, router exploitation and persistent access to achieve its objectives.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
26 sources