Chinese APT Groups Use Ransomware for Espionage and Diversion

Cyberespionage groups are increasingly using ransomware not just for financial gain but also as a tactic to complicate attack attribution, distract defenders, or serve as a secondary objective to data theft. A recent report highlights the activities of ChamelGang, a suspected Chinese advanced persistent threat (APT) group, which uses the CatB ransomware strain to target high-profile organizations globally.

ChamelGang's Attack Strategy

ChamelGang, also referred to as CamoFei, conducted operations targeting government bodies and critical infrastructure entities between 2021 and 2023. The group employs sophisticated techniques for initial access, reconnaissance, lateral movement, and data exfiltration.

One notable attack occurred in November 2022, targeting the Presidency of Brazil and compromising 192 computers. The attackers used standard reconnaissance tools to map the network and gather information on critical systems. In the final stage of the attack, ChamelGang deployed CatB ransomware, leaving ransom notes at the beginning of each encrypted file and providing a ProtonMail address for contact and a Bitcoin address for payment.

Broader Impact and Attribution

In another significant incident in late 2022, ChamelGang breached the All India Institute of Medical Sciences (AIIMS), causing major disruptions in healthcare services by deploying CatB ransomware. Researchers believe that attacks on a government entity in East Asia and an aviation organization in the Indian subcontinent were also executed by ChamelGang, based on known tactics, techniques, and procedures (TTPs), publicly available tools seen in previous engagements, and their custom malware BeaconLoader.

Alternative Ransomware Tactics

A separate cluster of activities observed involves using Jetico BestCrypt and Microsoft BitLocker instead of CatB ransomware. These intrusions impacted 37 organizations, mostly in North America, with other victims in South America and Europe.

Comparative analysis with reports from other cybersecurity companies revealed overlaps with past intrusions linked to suspected Chinese and North Korean APTs. Typically, BestCrypt was used to target server endpoints in an automated, serial encryption manner, while BitLocker was deployed against workstations, each with unique recovery passwords.

Operational Tactics and Tools

The attackers utilized the China Chopper webshell, a custom variant of the miPing tool, and leveraged Active Directory Domain Controllers (DCs) as footholds. These attacks lasted an average of nine days, with some incidents lasting just a few hours, indicating a high level of familiarity with the targeted environments.

Strategic Benefits of Ransomware in Cyberespionage

Using ransomware in cyberespionage provides strategic and operational benefits, blurring the lines between APT and cybercriminal activity, leading to potential misattribution and concealing the primary goal of data collection. This tactic represents a shift in adversary strategies to cover their tracks while still achieving their objectives.

Conclusion

Attributing past ransomware incidents to cyberespionage groups like ChamelGang highlights the evolving tactics of threat actors. By staying vigilant and implementing comprehensive cybersecurity measures, organizations can better protect themselves from these sophisticated attacks.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.