Introduction
Between 2021 and 2023, a series of ransomware and data encryption attacks targeted government and critical infrastructure sectors worldwide. These attacks have been linked to threat actors with suspected ties to China and North Korea. In a joint report by cybersecurity firms SentinelOne and Recorded Future, two distinct clusters of activity have been identified. One cluster is associated with the ChamelGang (also known as CamoFei), while the second overlaps with previously known Chinese and North Korean state-sponsored groups.
ChamelGang's Activities
ChamelGang, first documented by Positive Technologies in 2021, is believed to be a China-nexus group with diverse motivations, including intelligence gathering, data theft, financial gain, denial-of-service (DoS) attacks, and information operations. Notable attacks attributed to ChamelGang include those targeting the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022, utilizing CatB ransomware. The group has also targeted a government entity in East Asia and an aviation organization in the Indian subcontinent.
Tools and Techniques
ChamelGang's arsenal includes a variety of tools such as BeaconLoader, Cobalt Strike, and backdoors like AukDoor and DoorMe. The CatB ransomware, used in attacks in Brazil and India, is notable for commonalities in ransom notes, email formats, cryptocurrency wallet addresses, and filename extensions of encrypted files. In 2023, the group has used an updated version of BeaconLoader to deliver Cobalt Strike for reconnaissance and post-exploitation activities, such as dropping additional tools and exfiltrating the NTDS.dit database file.
Overlapping Activities with Chinese and North Korean Groups
The second cluster of activity involves the use of Jetico BestCrypt and Microsoft BitLocker in cyberattacks affecting various industry verticals in North America, South America, and Europe. These attacks have targeted as many as 37 organizations, predominantly in the U.S. manufacturing sector. The tactics observed are consistent with those attributed to a Chinese hacking group dubbed APT41 and a North Korean actor known as Andariel. Tools like the China Chopper web shell and the DTrack backdoor have been linked to these attacks.
Blurring Lines Between Cyber Espionage and Cybercrime
The use of ransomware by cyber espionage groups highlights a disturbing trend where ransomware serves as a tool for financial gain, disruption, distraction, misattribution, or removal of evidence. This strategy not only enables sabotage but also helps cover up tracks by destroying artifacts that could alert defenders to their presence.
Cyber espionage operations disguised as ransomware activities provide adversarial countries with plausible deniability. These operations blur the lines between cybercrime and cyber espionage, offering adversaries strategic and operational advantages.
Conclusion
The collaboration between SentinelOne and Recorded Future underscores the complexity and sophistication of modern cyber threats. The activities of groups like ChamelGang and other state-sponsored actors from China and North Korea reveal a multifaceted approach to cyber operations. These groups leverage ransomware not just for financial gain but also for espionage and strategic disruption. As cyber threats continue to evolve, a comprehensive understanding and robust defense strategies are crucial to protect against these multifarious attacks
0 Comments