Chinese and N. Korean Hackers Target Worldwide Infrastructure Using Ransomware
Malevolent entities potentially linked to China and North Korea have been associated with ransomware and data encryption assaults aimed at government and vital infrastructure sectors globally from 2021 to 2023.
While one group of activities is connected to the ChamelGang (also known as CamoFei), the second group overlaps with actions previously linked to Chinese and North Korean state-sponsored factions, cybersecurity firms SentinelOne and Recorded Future stated in a collaborative report shared with The Hacker News.
These include assaults by ChamelGang on the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 employing CatB ransomware, along with targeting a government entity in East Asia and an aviation organization in the Indian subcontinent.
“Threat actors within the cyber espionage realm are participating in an increasingly concerning pattern of employing ransomware as a final phase in their operations for financial gain, disruption, diversion, misattribution, or elimination of evidence,” security researchers Aleksandar Milenkoski and Julian-Ferdinand Vögele mentioned.
Instances of ransomware attacks under this scenario not only function as a means of sabotage but also offer threat actors the ability to conceal their movements by eradicating traces that might otherwise signal defenders about their presence.
ChamelGang, initially reported by Positive Technologies in 2021, is deemed to be a China-centric group that operates with motives ranging from reconnaissance, data theft, financial gain, denial-of-service (DoS) attacks, and information operations, as outlined by Taiwanese cybersecurity entity TeamT5.
The group is known to possess a diverse set of tools at its disposal, including BeaconLoader, Cobalt Strike, backdoors such as AukDoor and DoorMe, and a ransomware variant called CatB, which has been identified in attacks targeting Brazil and India due to similarities in the ransom note, the structure of the contact email address, the cryptocurrency wallet address, and the file extension used for encrypted data.
Incidents observed in 2023 have also leveraged an upgraded version of BeaconLoader to distribute Cobalt Strike for reconnaissance and post-exploitation actions like deploying additional tools and extracting NTDS.dit database file.
Additionally, it is noteworthy that tailored malware utilities employed by ChamelGang such as DoorMe and MGDrive (known as Gimmick in its macOS version) have also been connected to other Chinese threat factions like REF2924 and Storm Cloud, hinting once more at the potential presence of a “digital quartermaster supplying unique operational divisions with malware.”
The other series of intrusions involve the utilization of Jetico BestCrypt and Microsoft BitLocker in cyber offensives impacting multiple industry sectors in North America, South America, and Europe. An estimated 37 organizations, primarily in the U.S. manufacturing domain, are believed to have been targeted.
The strategies observed, according to the two cybersecurity entities, are in line with those associated with a China-based hacking organization known as APT41 and a North Korean actor identified as Andariel, due to the presence of tools like the China Chopper web shell and a backdoor termed DTrack.
“Cyber espionage operations masked as ransomware activities offer an avenue for adversarial nations to declare plausible deniability by attributing the actions to independent cybercriminal actors instead of state-sponsored entities,” the researchers remarked.
“The employment of ransomware by cyber espionage threat factions blurs the boundaries between cybercrime and cyber espionage, offering adversaries advantages from both strategic and operational standpoints.”
About Author
