Cyber Threat Actor: APT27
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
1 incident |
|---|
Profile
Iron Tiger and Iron Panda are aliases used to refer to a Chinese‑speaking threat actor that is publicly linked to Beijing and tracked under additional names such as APT27, EmissaryPanda and LuckyMouse. The actor’s location is identified as China, and it is described as a sophisticated Chinese‑linked group in multiple sources. Public reporting ties the actor to Beijing‑based operations and notes its activity spans several years, with connections to both espionage and financially motivated intrusions.
The actor’s targeting has been observed against government institutions in Mongolia, where it breached a national data center and planted malware on official websites, and against U.S. defense contractors, indicating a focus on governmental and defense sectors. Its strategic objectives include cyber‑espionage, as demonstrated by the covert insertion of malware into government networks, and financial crime, given past associations of APT27 with financially driven campaigns. Geographic focus includes Mongolia and the United States, reflecting the actor’s interest in both regional adversaries and overseas targets.
Noted tactics involve watering‑hole style attacks and spear‑phishing emails to compromise specific employees, after which the actor leverages those credentials to expand control over the compromised infrastructure. The Mongolian data center breach relied on exploiting critical vulnerabilities in Mikrotik routers, with the attack server traced to Ukraine. Representative operations include the October 2017‑to‑March 2018 campaign against Mongolia’s national data center, the suspected involvement in the ICAO incident where the hacker was described as likely a member of Emissary Panda, and repeated targeting of U.S. defense contractors. These activities illustrate the actor’s use of credential harvesting, router exploitation and persistent access to achieve its objectives.
