The APT group targeting Mongolia's government

Threat Intelligence Team, 10 December 2020

LuckyMouse, an APT group using new and advanced tactics to access sensitive government data, could be behind the attack

Our team has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia. 

The APT group planted backdoors and keyloggers to gain long-term access to government networks and then uploaded a variety of tools that they used to perform additional activities on the compromised networks, such as scanning of the local network and dumping credentials. We presume that the main aim of cyber-espionage was the exfiltration of sensitive data from potentially interesting government agencies.

LuckyMouse, also known as EmissaryPanda and APT27, is likely to be behind the APT campaign. The group has previously attacked targets in the area and is well known for going after national resources and political information on near neighbors. 

What is an APT group?

APT groups are malicious organizations that target national information assets crucial to a country’s economy and infrastructure. APT groups are elusive, organized, and highly skilled at what they do. It’s not uncommon for APT attackers to carry out cyberattacks on a longer-term basis than other types of cybercriminals, meaning that numerous attacks from the same APT group could resurface over the course of months or even years.

Details of the cyberattack

Following our research and analysis, we noticed that the group has updated their tactics. For this attack, the group used both keyloggers and backdoors to upload a variety of tools that they used to scan the target network and dump credentials. They used this to access sensitive government data.

The tactics used by the APT group to access the infrastructure of government institutions  include accessing a vulnerable company who were providing services to the government, as well as through a malicious email attachment that was using weaponized documents via an unpatched CVE-2017-11882 vulnerability. 

“The APT group Lucky Mouse has been active since autumn 2017 and has been able to avoid Avast’s attention during the last two years due to their evolving techniques and marked change of tactics,” says Luigino Camastra, malware researcher at Avast. “We were able to detect their new tactics to discover this campaign targeting the Mongolian government, showing how they’ve scaled their operations to be more advanced to gain longer term access to sensitive data.”

Using the samples that our team analyzed, we protected the users in the government institution and national data center from further attacks.


For an in-depth look at this APT group attack, check out a detailed technical summary on Avast Decoded.

Related articles