Chinese and North Korean Hackers Aim at Worldwide Infrastructure with Ransomware
Suspected threat actors from China and North Korea have been identified in connection with ransomware and data encryption assaults directed at government and vital infrastructure sectors across the globe from 2021 to 2023.
While one group of activities has been attributed to the ChamelGang (also known as CamoFei), the second cluster overlaps with past activities ascribed to Chinese and North Korean state-backed factions, a collaborative report by cybersecurity companies SentinelOne and Recorded Future revealed to The Hacker News.
This includes offensive maneuvers by ChamelGang at the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 employing CatB ransomware, in addition to assaults on a governmental entity in East Asia and an air travel organization in the Indian subcontinent.
“In the cyber espionage domain, threat actors are increasingly resorting to ransomware as a final phase in their operations for purposes such as monetary gains, disruptions, diversions, misattribution, or eliminating evidence,” noted security analysts Aleksandar Milenkoski and Julian-Ferdinand Vögele.
In this scenario, ransomware attacks not only function as a means of sabotage but also enable threat actors to conceal their presence by abolishing evidence that could otherwise alert defenders to their existence.
Initially documented by Positive Technologies in 2021, ChamelGang is estimated to be a China-centric group involved in diverse activities such as intelligence collection, data thievery, financial interests, denial-of-service (DoS) attacks, and information operations, according to Taiwanese cybersecurity firm TeamT5 stated.
The group is equipped with an array of weapons in its inventory, encompassing BeaconLoader, Cobalt Strike, backdoors like AukDoor and DoorMe, and a ransomware variant called CatB, which has been recognized as the tool utilized in assaults on Brazil and India due to commonalities in the ransom note, contact email address formatting, cryptocurrency wallet address, and encrypted file extension.
In 2023, attacks also exploited an upgraded edition of BeaconLoader to introduce Cobalt Strike for reconnaissance purposes and post-exploitation activities like deploying additional tools and exfiltrating NTDS.dit database file.
Moreover, custom malware employed by ChamelGang like DoorMe and MGDrive (known as Gimmick in macOS version) have been associated with other Chinese threat entities like REF2924 and Storm Cloud, raising the prospect of a “digital quartermaster rendering distinct operational units with malware.”
The other incursions involve the deployment of Jetico BestCrypt and Microsoft BitLocker in cyber offensives affecting various industry sectors in North America, South America, and Europe. Approximately 37 institutions, predominantly in the U.S. manufacturing industry, are believed to have been targeted.
The observed strategies, according to the two cybersecurity firms, are in sync with those attributed to a Chinese hacker cohort dubbed APT41 and a North Korean entity known as Andariel, owing to the presence of tools like the China Chopper web shell and a backdoor called DTrack.
“By camouflaging cyber espionage actions as ransomware operations, hostile nations can claim innocence by attributing the deeds to autonomous cyber criminal entities rather than government-sponsored groups,” the investigators commented.
“The utilization of ransomware by cyber espionage threat factions muddles the divide between cyber criminality and cyber espionage, providing adversaries with benefits from strategic and operational viewpoints.”
About Author
