Criminals with suspected ties to China and North Korea have been linked to ransomware and data encryption attacks targeting government and critical infrastructure sectors around the world between 2021 and 2023.
While one activity cluster was associated with ChamelGang (aka CamoFei), the second cluster overlaps with activities previously attributed to Chinese and North Korean state-sponsored groups, cybersecurity firms SentinelOne and Recorded Future said in a joint report shared with The Hacker News.
This includes the ChamelGang attacks targeting the All India Institute of Medical Sciences (AIIMS) and the President of Brazil in 2022 using CatB extortionistsas well as those aimed at state structure in East Asia and aviation organization in the Indian subcontinent in 2023.
“Threat entities in the cyberespionage ecosystem are engaging in an increasingly alarming trend of using ransomware as the final stage of their operations for financial gain, disruption, distraction, misappropriation or removal of evidence,” – security researchers Alexander Milenkoski and Julian – said Ferdinand Voegele.
Ransomware attacks in this context not only provide an outlet for sabotage, but also allow threat actors to cover their tracks by destroying artifacts that might otherwise alert defenders to their presence.
ChamelGang, documented for the first time is estimated by Positive Technologies in 2021 to be a Chinese-affiliated group operating with motives as diverse as intelligence gathering, data theft, financial gain, denial-of-service (DoS) attacks, and information operations. respectively Taiwanese cybersecurity firm TeamT5.
It is known to have a wide range of tools in its arsenal, including BeaconLoader, Cobalt Strike, backdoors such as AukDoor and DoorMe, and a strain of ransomware known as CatB, which has been identified as being used in attacks targeting Brazil and India, based on common features in the ransom note, contact email address format, cryptocurrency wallet address and file name extension of encrypted files.
Attacks observed in 2023 also used an updated version of BeaconLoader to launch Cobalt Strike for reconnaissance and post-exploitation activities such as tool-dropping and exfiltration NTDS.dit database file.
Additionally, it’s worth noting that the custom malware used by ChamelGang, such as DoorMe and MGDrive (whose macOS variant is called Gimmick), have also been linked to other Chinese threat groups such as REF2924 and A storm cloudhinting again at the possibility of “digital quartermaster providing individual operational groups with malicious programs.”
Another set of intrusions involves the use of Jetico’s BestCrypt and Microsoft’s BitLocker in cyberattacks affecting various industry verticals in North America, South America and Europe. It is believed that 37 organizations, mostly in the US manufacturing sector, were victims of the attacks.
The observed tactics of the two cyber security companies are as follows consistent with those attributed to a Chinese hacking group duplicated APT41 and the North Korean actor known as Andarieldue to the availability of tools such as the China Chopper web shell and a backdoor known as DTrack.
“The activity we observed is consistent with past intrusions using artifacts associated with suspected Chinese and North Korean APT clusters,” Milenkoski told The Hacker News, saying that visibility restrictions likely prevented detection of the malicious artifacts themselves.
“Our investigations and our review of previous research found no evidence of tools or other intrusion artifacts associated with suspected Chinese or North Korean APT groups concurrently present in the same target environments.”
SentinelOne went on to say that it cannot rule out the possibility that these actions are part of a broader cybercriminal scheme, especially given that nation-state actors are also took part Art financially motivated attacks from time to time.
“Cyber espionage operations disguised as ransomware activities enable adversary countries to claim plausible deniability by attributing actions to independent cybercriminal actors rather than state-sponsored actors,” the researchers said.
“The use of ransomware by cyber espionage threat groups blurs the lines between cyber crime and cyber espionage, giving adversaries both strategic and operational advantages.”
(The story was updated after publication to include a response from SentinelOne.)
