Chinese Hackers Use Ransomware as Decoy for Cyber Espionage
Two Chinese hacking groups conducting cyber espionage and stealing intellectual property from Japanese and western companies are deploying ransomware as a decoy to cover up their malicious activities.
Threat analysts from Secureworks say that the use of ransomware in espionage operations is done to obscure their tracks, make attribution harder, and create a powerful distraction for defenders.
Finally, the exfiltration of the sensitive information is masked as financially-motivated attacks, which isn’t the case with Chinese government-sponsored threat groups.
Strange ransomware activity
The two clusters of hacking activity analyzed by Secureworks are “Bronze Riverside” (APT41) and “Bronze Starlight” (APT10), both using the HUI Loader to deploy remote access trojans, PlugX, Cobalt Strike, and QuasarRAT.
Starting in March 2022, “Bronze Starlight” leveraged Cobalt Strike to deploy ransomware strains such as LockFile, AtomSilo, Rook, Night Sky, and Pandora.
Also Read: The impact of GDPR and PDPA in Singapore
In these attacks, the hackers also used a new version of HUI Loader, which is capable of hooking Windows API calls and disable Event Tracing for Windows (ETW) and Antimalware Scan Interface
The configuration of Cobalt Strike beacons in three distinct attacks using AtomSilo, Night Sky, and Pandora revealed a shared C2 address. Additionally, the same source was used for uploading HUI Loader samples on Virus Total this year.
The activity and victimology of LockFile, AtomSilo, Rook, Night Sky, and Pandora are unsual compared to financially motivated ransomware operations, targeting a small number of victims over a brief period and then abandon the project altogether.
Secureworks also comments that there are code overlaps between Pandora and the latest version of HUI Loader, so this loose connection might point to a common group.
LockFile and AtomSilo also appear to be very similar, while Night Sky, Pandora, and Rook were all derived from Babuk source code and also feature extensive similarities in their code.
These five ransomware operations didn’t leave a mark in the cybercrime community and never really grew to become a significant threat. Also, they were all deserted somewhat prematurely.
That said, “Bronze Starlight” might be creating short-lived ransomware strains only to mask its cyber-espionage operations as ransomware attacks, reducing the chances of dealing with the ramifications of accurate attribution.
Since all of the discussed ransomware strains are based on publicly available or leaked code, and Chinese threat groups are known for sharing backdoors and infrastructure, nothing can be said with certainty.
However, Securework’s findings are interesting and constitute another reason defenders should set up robust ransomware detection and protection mechanisms and thoroughly inspect all systems post-cleanup.
While it is unclear if these ransomware families were developed as decoys to hide other malicious activity, it would not be the first time ransomware was used this way.
In 2018, threat actors deployed a disk-wiping malware on hundreds of computers at a Chilean bank to distract staff while attempting to steal money via the SWIFT money transferring system.
More recently, fake ransomware known as HermeticWiper was deployed on Ukrainian networks a day before Russia invaded the country.