Chinese state-backed hackers APT27, also known as Iron Tiger, have developed a malware toolkit called SysUpdate that targets devices running on the Linux operating system. The criminals, who specialise in cyber espionage, are part of a Chinese cybercrime syndicate called TiltedTemple that has been going after targets across Europe.

Chinese APT gang Iron Tiger releases new malware targeting devices operating Linux. (Photo by Telly/Shutterstock)

Earlier versions of the malware toolkit SysUpdate are designed to evade security software and resist reverse engineering, and this latest version could be more dangerous than ever, new research suggests.

Chinese APT cyber espionage gang releases malware tool

The Chinese cyber espionage gang is also tracked as Bronze Union, Emissary Panda and Lucky Mouse, and is known to use another Linux malware called rshell, as well as SysUpdate. 

The new malware variant now uses five files in its infection routine instead of the usual three. A report by security company Trend Micro details that some of the other rootkits APT27 uses are also new.

SysUpdate has fallen out of favour among hackers in recent years, the report says, but has now been uncovered once more with new and improved Linux capabilities. This could be in part due to the current resurgence in popularity of malware targeting Linux, which can be found on the majority of the world’s mobile devices as well as PCs.

APT27: ‘Iron Tiger’ back in the spotlight

Iron Tiger is known for carrying out cyber espionage on behalf of the Chinese government. It was first spotted in 2009 and typically targets governments, defence companies and critical national infrastructure in Asia, America and the Middle East.

It operates as part of a larger syndicate of Chinese cyber espionage gangs called TiltedTemple, another member of which has recently been uncovered in a spear phishing attack on Belgian MP Samuel Cogolati. 

The MP was reportedly targeted in January 2021 while writing a resolution to warn of “crimes against humanity” against Uyghur Muslims in China. The Belgian Centre for Cyber Security Belgium (CCB) wrote that the MP had probably been infected by the specific Chinese cybercriminal, a move that was seen uncharacteristically bold as it called out the Chinese hackers directly.

The European Union Agency for Cybersecurity (ENISA) echoed this last month by publishing a warning against all of the members of the syndicate, stating that China allowed its cybercrime gangs to target the European Union. 

The warning says Belgium urged Chinese authorities to take action against malicious cyber activities undertaken by Chinese cybercriminals. These activities can be “linked to the hacker groups known as APT27, APT30, APT31 and GALLIUM,” all of which are members of TiltedTemple, the report adds.

“These threat actors present important and ongoing threats to the European Union,” it says. “Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organisations of strategic relevance.”

Read more: What is the NSA actually doing in China?