Menu
Browse

Cyber Threat Actor: APT27

Aliases: 4 aliases
Actor Type Location Known Incidents
 Icon
Nation State
China
6 incidents
Profile

APT27, also known as Bronze Union, TA429 and Emissary Panda, is a threat actor that has been publicly linked to China. Multiple sources describe the group as Chinese‑state linked, with one report noting a connection to the People’s Liberation Army Strategic Support Force and another identifying Emissary Panda as a sophisticated Chinese‑linked group responsible for the 2016 intrusion into the International Civil Aviation Organization.

The actor’s targeting spans several sectors and regions, reflecting both espionage and disruptive objectives. It has conducted SMS phishing campaigns that stole credentials from employees of the U.S.‑based technology firm Cloudflare, an effort that was thwarted by multi‑factor authentication. In early 2022 the same group was implicated in cyberattacks that paralyzed automated fuel loading and unloading systems at German petrol distributors Oiltanking and Mabanaft, causing operational disruption across thirteen tank farms. Espionage‑focused operations include a 2017 spear‑phishing and watering‑hole campaign against Mongolia’s national data center, where malware was implanted on government websites to enable persistent surveillance, and the 2016 intrusion into the ICAO aviation agency attributed to Emissary Panda, which was described as an espionage effort. Additionally, a 2022 Google Threat Analysis Group report tied a Chinese‑sponsored group linked to the PLA SSF to ongoing targeting of Russian government agencies and companies, indicating a continued intelligence‑gathering focus.

Observed tactics, techniques and procedures include the use of SMS‑based phishing that directs victims to fraudulent login pages and triggers the automatic download of remote access tools such as AnyDesk, spear‑phishing emails combined with watering‑hole websites to deliver malware, and the implantation of persistent malware on government‑hosted websites that communicates through command‑and‑control servers routed via compromised infrastructure. The group has also been observed exploiting existing internal vulnerabilities and relying on weak security practices to maintain access, as noted in the ICAO incident where poor incident response allowed the breach to persist.

Representative campaigns cited in the open source record are the 2022 SMS phishing effort against Cloudflare employees linked to the same actors behind the Twilio breach, the 2022 disruption of German fuel distribution services at Oiltanking and Mabanaft, the 2017 spear‑phishing and watering‑hole intrusion of Mongolia’s national data center, the 2016 ICAO espionage intrusion attributed to Emissary Panda, and the ongoing targeting of Russian governmental entities highlighted in the 2022 Google threat report. These examples illustrate the actor’s recurring use of credential harvesting, remote access tools, spear‑phishing, watering‑hole techniques and malware implantation to achieve espionage and operational disruption objectives.

Incidents
Attributed incidents available to members
6 incidents
Sources
Sources available to members
26 sources