Cyber Incident Victim: Mongolian National Data Center Building
Date:
Oct 2017
Location:
Mongolia
Summary
A Chinese state-linked hacking group known as APT27 compromised Mongolia's national data center through spear phishing and watering hole attacks, leveraging employee access to infiltrate critical infrastructure. The attackers implanted malware across government websites, enabling persistent espionage operations via a command server routed through a compromised Ukrainian Mikrotik router. This breach provided extensive access to sensitive government systems and data, coinciding with heightened geopolitical tensions between Mongolia and China. Kaspersky researchers attributed the campaign to the financially motivated APT27 group, which has historically targeted government entities and defense contractors. The incident demonstrated an unusually direct compromise of a national data hub to facilitate widespread digital surveillance.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In late 2017, a Chinese state-linked hacking group known as APT27 (alternately tracked as EmissaryPanda, IronPanda, and LuckyMouse) breached Mongolia's national data center through a multi-stage cyber-espionage campaign. The initial intrusion occurred around October 2017, when attackers employed watering hole attacks and spear phishing emails to compromise specific employees at the Mongolian government facility. After gaining individual credentials, the threat actors escalated privileges to seize broader control over the data center's infrastructure. This access enabled them to covertly implant malware across government websites hosted by the facility. Researchers from Kaspersky Lab discovered the breach in March 2018 during routine threat analysis, identifying the attack infrastructure through forensic investigation. Technical evidence revealed the operation's command-and-control server resided on a compromised Mikrotik router in Ukraine, leveraging known vulnerabilities in Mikrotik systems that had been publicly documented prior to the attack. APT27's historical activities included targeting U.S. defense contractors and engaging in both espionage and financially motivated operations.
The compromise of Mongolia's national data center represented a significant escalation due to the target's strategic value as a repository for government information and its role in hosting official websites. Successful infiltration provided APT27 with potential access to sensitive administrative data and the ability to manipulate web content across multiple government domains. The breach coincided with heightened political tensions between Mongolia and China in late 2017, a period marked by Mongolian President Khaltmaa Battulga's election campaign featuring anti-China rhetoric and Chinese President Xi Jinping's consolidation of power following his re-election. Kaspersky's investigation did not disclose specific containment measures taken by Mongolian authorities but confirmed the attribution through linguistic patterns, infrastructure analysis, and established behavioral fingerprints matching APT27's previous operations. No data exfiltration scope or downstream impacts on Mongolian citizens were detailed in the findings, though the compromise underscored the group's capability to penetrate critical national infrastructure for persistent access.