Chinese Hackers Use Ransomware As a Cover for Espionage

Chinese hackers and espionage

Secureworks experts have found that Chinese hackers from two groups that specialize in espionage and theft of intellectual property from Japanese and Western companies use ransomware to hide their actions.

Let me remind you that we also wrote that Chinese Hacker Group Revealed after a Decade of Undetected Espionage, and also that Chinese Hackers Attack 0-day Follina Vulnerability.

Analysts write that the use of ransomware in spying campaigns allows hiding traces, complicate the attribution of attacks and distracts the attention of IT specialists of the victim company. In addition, in this way the theft of confidential information is disguised as financially motivated attacks.

Chinese hackers and espionage

A similar disguising method is practiced by Bronze Riverside (APT41) and Bronze Starlight (APT10). Both use the HUI loader to deploy remote access Trojans, PlugX, Cobalt Strike, and QuasarRAT.

Starting in March 2022, the Bronze Starlight group used Cobalt Strike to deploy ransomware (including LockFile, AtomSilo, Rook, Night Sky, and Pandora) on their victims’ networks, according to researchers. These attacks also used a new version of the HUI loader, which is able to intercept Windows API calls and disable Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI).

Based on the order in which these ransomware families emerged from mid-2021, the attackers likely developed LockFile and AtomSilo first and then moved on to Rook, Night Sky and Pandora.experts say.

Studying the configuration of Cobalt Strike beacons in three different attacks using AtomSilo, Night Sky, and Pandora malware revealed a common control server address for them. It is also noted that this year the same source was used to upload samples of the HUI bootloader on Virus Total.

It is noted that in the studied cases, the activity of LockFile, AtomSilo, Rook, Night Sky and Pandora was unusual when compared with ordinary financially motivated ransomware attacks. So, the attacks were aimed at a small number of victims, lasted a short period of time, and then the hackers completely abandoned the project and moved on to the next one.

Chinese hackers and espionage

Secureworks writes that Pandora and the latest version of the HUI loader have code similarities. LockFile and AtomSilo also look similar, while Night Sky, Pandora, and Rook are based on the Babuk malware source code, but also have a lot in common.

Chinese hackers and espionage

Experts summarize that Bronze Starlight clearly has no difficulty creating short-lived ransomware variants that are only needed to disguise spying operations as ransomware attacks and complicate attribution. The fact is that the studied ransomware is based on publicly available or leaked source code, and Chinese hackers are known for willingly sharing tools and infrastructure with each other. That is, in such cases it is extremely difficult to track attribution, possible connections, and speak with confidence about any conclusions.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.