Chinese State Actors Use Ransomware to Conceal Real Intent

Written by

Chinese APT groups with likely state backing are using ransomware in attacks to throw cybersecurity researchers off the scent and hide their true intent of cyber-espionage, a new report has warned.

SentinelLabs and Recorded Future have analyzed several intrusions over the past three years and tied them back to two umbrella groups.

The first, dubbed ChamelGang (aka CamoFei), is a suspected Chinese APT group that targeted government and critical infrastructure organizations in East Asia and India, as well as the Presidency of Brazil – deploying the CatB ransomware variant.

The latter attack was originally, and incorrectly, attributed to TeslaCrypt, but was in fact a more sophisticated espionage effort, according to the report.

The second cluster has used artifacts associated with suspected Chinese and North Korean APT groups. The threat actors used off-the-shelf tools BestCrypt and BitLocker to encrypt victim organizations in multiple industries in North America, South America and Europe – but primarily the US manufacturing sector.

Read more on the blurred lines between state and cybercrime attacks: As Nation-State and Cybercrime Threats Conflate, Should CISOs Be Worried?

The use of ransomware in this way enables hostile nations to maintain plausible deniability for attacks, while diminishing the situational awareness of victim countries, if law enforcement and intelligence agencies don’t work closely enough together, the report warned.

It also offers the threat actors themselves a potential financial reward for their efforts.

“This research highlights the strategic use of ransomware by cyber-espionage actors for financial gain, disruption, or as a tactic for distraction or misattribution. The use of ransomware as part of cyber-espionage activities may result in their misattribution as financially motivated operations,” the study claimed.

“To further misguide attribution efforts, APT groups may purchase ransomware shared by multiple cybercriminal actors. Ransomware also provides cover for the true motive behind the central component of cyber-espionage operations, data exfiltration, which is also carried out by ransomware actors that follow a multi-extortion model.”

The report’s authors urged law enforcement and intelligence agencies to engage in “sustained information exchange and collaboration” on any ‘ransomware’ attacks targeting government and critical infrastructure sectors.

“Efficient exchange of data and knowledge between the different entities handling cybercriminal and cyber-espionage incidents, detailed examination of observed artifacts, and analysis of the broader context surrounding incidents of this type are crucial towards identifying the true perpetrators, motive, and objectives,” they concluded.

What’s hot on Infosecurity Magazine?