Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware

Threat actors with suspected ties to China and North Korea have been linked to ransomware and data encryption attacks targeting government and critical infrastructure sectors across the world between 2021 and 2023.

While one cluster of activity has been associated with the ChamelGang (aka CamoFei), the second cluster overlaps with activity previously attributed to Chinese and North Korean state-sponsored groups, cybersecurity firms SentinelOne and Recorded Future said in a joint report shared with The Hacker News.

This includes ChamelGang’s attacks aimed at the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using CatB ransomware, as well as those targeting a government entity in East Asia and an aviation organization in the Indian subcontinent in 2023.

“Threat actors in the cyber espionage ecosystem are engaging in an increasingly disturbing trend of using ransomware as a final stage in their operations for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence,” security researchers Aleksandar Milenkoski and Julian-Ferdinand Vögele said.

Ransomware attacks in this context not only serve as an outlet for sabotage but also allow threat actors to cover up their tracks by destroying artifacts that could otherwise alert defenders to their presence.

ChamelGang, first documented by Positive Technologies in 2021, is assessed to be a China-nexus group that operates with motivations as varied as intelligence gathering, data theft, financial gain, denial-of-service (DoS) attacks, and information operations, according to Taiwanese cybersecurity firm TeamT5.

It’s known to possess a wide range of tools in its arsenal, including BeaconLoader, Cobalt Strike, backdoors like AukDoor and DoorMe, and a ransomware strain known as CatB, which has been identified as used in attacks targeting Brazil and India based on commonalities in the ransom note, the format of the contact email address, the cryptocurrency wallet address, and the filename extension of encrypted files.

Attacks observed in 2023 have also leveraged an updated version of BeaconLoader to deliver Cobalt Strike for reconnaissance and post-exploitation activities such as dropping additional tooling and exfiltrating NTDS.dit database file.

Furthermore, it’s worth pointing out that the custom malware put to use by ChamelGang such as DoorMe and MGDrive (whose macOS variant is called Gimmick) have also been linked to other Chinese threat groups like REF2924 and Storm Cloud, once again alluding to the possibility of a “digital quartermaster supplying distinct operational groups with malware.”

The other set of intrusions involves the use of Jetico BestCrypt and Microsoft BitLocker in cyber attacks affecting various industry verticals in North America, South America, and Europe. As many as 37 organizations, predominantly the U.S. manufacturing sector, are estimated to have been targeted.

The tactics observed, per the two cybersecurity companies, are consistent with those attributed to a Chinese hacking crew dubbed APT41 and a North Korean actor known as Andariel, owing to the presence of tools like the China Chopper web shell and a backdoor known as DTrack.

“The activities we observed overlap with past intrusions involving artifacts associated with suspected Chinese and North Korean APT clusters,” Milenkoski told The Hacker News, stating visibility limitations have likely prevented detecting the malicious artifacts themselves.

“Our investigations and our review of previous research did not reveal evidence of tooling or other intrusion artifacts associated with suspected Chinese or North Korean APT groups being present concurrently in the same targeted environments.”

SentinelOne further said it cannot exclude the possibility that these activities are part of a broader cybercriminal scheme, particularly given that nation-state actors have also taken part in financially motivated attacks from time to time.

“Cyber espionage operations disguised as ransomware activities provide an opportunity for adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities,” the researchers said.

“The use of ransomware by cyber espionage threat groups blurs the lines between cybercrime and cyber espionage, providing adversaries with advantages from both strategic and operational perspectives.”

(The story was updated after publication to include a response from SentinelOne.)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.