# German govt warns of APT27 hackers backdooring business networks **[bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/](https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/)** Sergiu Gatlan By [Sergiu Gatlan](https://www.bleepingcomputer.com/author/sergiu-gatlan/) January 26, 2022 08:00 AM 0 The BfV German domestic intelligence services (short for Bun des amt für Ver fas sungs schutz) warn of ongoing attacks coordinated by the APT27 Chinese-backed hacking group. This active campaign is targeting German commercial organizations, with the attackers using the HyperBro remote access trojans (RAT) to backdoor their networks. [HyperBro helps the threat actors maintain persistence on the victims' networks by acting as](https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro) an in-memory backdoor with remote administration capabilities. The agency said the threat group's goal is to steal sensitive information and may also attempt to target their victims' customers in supply chain attacks. ----- The Federal Office for the Protection of the Constitution (BfV (Federal Office for the Protection of the Constitution)) has information about an ongoing cyber espionage campaign by the cyber attack group APT27 using the malware variant HYPERBRO against [German commercial companies," the BfV said.](https://www.verfassungsschutz.de/SharedDocs/kurzmeldungen/DE/2022/2022-01-26-cyberbrief.html) "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack)." [The BfV also published indicators of compromise (IOCs) and YARA rules to help targeted](https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf) German organizations to check for HyperBro infections and connections to APT27 command-and-control (C2) servers. _HyperBro infection chain (BfV)_ ## Breaching networks via Zoho and Exchange servers [APT27 (also tracked as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and](https://attack.mitre.org/groups/G0027/) LuckyMouse) is a Chinese-sponsored threat group active since at least 2010 and known for its focus on information theft and cyberespionage campaigns. The German intelligence agency says APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, since March 2021. This aligns with previous reports of Zoho ManageEngine installations being the target of multiple campaigns in 2021, coordinated by nation-state hackers using tactics and tooling similar to those employed by APT27. ----- They first used an [ADSelfService zero-day exploit until mid-September, then switched to an](https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-state-hackers-exploiting-critical-zoho-bug/) [n-day AdSelfService exploit, and started exploiting a ServiceDesk bug beginning with](https://www.bleepingcomputer.com/news/security/state-hackers-breach-defense-energy-healthcare-orgs-worldwide/) October 25. _Zoho ManageEngine campaigns (Unit 42)_ In these attacks, they successfully compromised at least nine organizations from critical sectors worldwide, including defense, healthcare, energy, technology, and education, according to Palo Alto Networks researchers. [In light of these campaigns, the FBI and CISA issued joint advisories (1,](https://us-cert.cisa.gov/ncas/alerts/aa21-259a) [2) warning of APT](https://us-cert.cisa.gov/ncas/alerts/aa21-336a) actors exploiting ManageEngine flaws to drop web shells on the networks of breached critical infrastructure orgs. APT27 and other Chinese-backed hacking groups were also linked to attacks exploiting critical ProxyLogon bugs in early March 2021 that allowed them to take over and steal data from unpatched Microsoft Exchange servers worldwide. US and allies (the European Union, the United Kingdom, and NATO) officially blamed China in June for last year's widespread Microsoft Exchange hacking campaign. ### Related Articles: [Hackers target Russian govt with fake Windows updates pushing RATs](https://www.bleepingcomputer.com/news/security/hackers-target-russian-govt-with-fake-windows-updates-pushing-rats/) [Ukraine supporters in Germany targeted with PowerShell RAT malware](https://www.bleepingcomputer.com/news/security/ukraine-supporters-in-germany-targeted-with-powershell-rat-malware/) [New stealthy Nerbian RAT malware spotted in ongoing attacks](https://www.bleepingcomputer.com/news/security/new-stealthy-nerbian-rat-malware-spotted-in-ongoing-attacks/) [New NetDooka malware spreads via poisoned search results](https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads-via-poisoned-search-results/) [Hackers use modified MFA tool against Indian govt employees](https://www.bleepingcomputer.com/news/security/hackers-use-modified-mfa-tool-against-indian-govt-employees/) ----- [APT](https://www.bleepingcomputer.com/tag/apt/) [China](https://www.bleepingcomputer.com/tag/china/) [Cyber-espionage](https://www.bleepingcomputer.com/tag/cyber-espionage/) [Germany](https://www.bleepingcomputer.com/tag/germany/) [Malware](https://www.bleepingcomputer.com/tag/malware/) [RAT](https://www.bleepingcomputer.com/tag/rat/) [Remote Access Trojan](https://www.bleepingcomputer.com/tag/remote-access-trojan/) [Warning](https://www.bleepingcomputer.com/tag/warning/) [Sergiu Gatlan](https://www.bleepingcomputer.com/author/sergiu-gatlan/) Sergiu Gatlan is a reporter who covered cybersecurity, technology, Apple, Google, and a few other topics at Softpedia for more than a decade. Email or Twitter DMs for tips. [Previous Article](https://www.bleepingcomputer.com/offer/deals/manage-and-edit-your-pdf-library-on-mac-with-this-apple-approved-app/) [Next Article](https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-11-hdr-color-rendering-problems/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----