Chinese and North Korean Cybercriminals Target Global Infrastructure with Ransomware
Threat actors with suspected connections to China and North Korea have been identified in ransomware and information encryption assaults directed at government and essential infrastructure industries around the globe from 2021 to 2023.
A single grouping of incidents has been tied to the ChamelGang (also known as CamoFei), while the other cluster aligns with activities previously associated with Chinese and North Korean government-backed factions, according to a collaborative report by cybersecurity firms SentinelOne and Recorded Future, which was shared with The Hacker News.
These actions involve ChamelGang’s assaults on the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 utilizing CatB ransomware, as well as targeting a governmental organization in East Asia and an aircraft company in the Indian subcontinent.
“In the cyber espionage landscape, threat actors are increasingly resorting to the use of ransomware as a final step in their activities for financial profits, interference, diversion, misattribution, or the elimination of evidence,” commented security analysts Aleksandar Milenkoski and Julian-Ferdinand Vögele.
In this context, ransomware attacks not only function as a means for sabotage but also enable malicious entities to eliminate any traces that could alert defenders to their presence.
Initially identified by Positive Technologies in 2021, ChamelGang is believed to be a Chinese-centric faction that executes various motives such as intelligence collection, information theft, financial advantages, denial-of-service (DoS) attacks, and information operations, as reported by Taiwanese cybersecurity company TeamT5.
This group possesses a diverse arsenal of tools, including BeaconLoader, Cobalt Strike, and backdoors like AukDoor and DoorMe, in addition to a ransomware variant called CatB, which has been utilized in assaults on Brazil and India due to similarities in the ransom demands, email address format, cryptocurrency wallet address, and file extension of encrypted data.
Incidents in 2023 have also seen the deployment of an updated BeaconLoader iteration to distribute Cobalt Strike for reconnaissance and post-compromise tasks such as deploying additional tools and extracting NTDS.dit database file.
Moreover, unique malware employed by ChamelGang like DoorMe and MGDrive (known as Gimmick in its macOS variant) have been connected to other Chinese threat factions including REF2924 and Storm Cloud, hinting at a potential “digital quartermaster who supplies distinctive operational entities with malware.”
The alternate series of breaches involve the use of Jetico BestCrypt and Microsoft BitLocker in cyber campaigns impacting various industry sectors in North America, South America, and Europe. Approximately 37 organizations, primarily in the U.S. manufacturing industry, are believed to have been targeted.
The strategies observed, as per the two cybersecurity firms, are comparable to those attributed to a Chinese hacking faction known as APT41 and a North Korean actor identified as Andariel, due to the use of tools such as the China Chopper web shell and a backdoor named DTrack.
“Ransomware activities disguised as cyber espionage operations offer a chance for adversarial nations to claim plausible deniability by attributing the deeds to independent cybercriminals rather than state-sponsored entities,” noted the researchers.
“By incorporating ransomware into cyber espionage operations, threat factions blur the boundaries between cybercrime and cyber espionage, providing them with advantages from both strategic and operational standpoints.”
About Author
