Ransomware and data encryption attacks targeting critical infrastructure and government sectors globally between 2021 and 2023 have been connected to cybercriminals suspected of having connections to China and North Korea.
Between 2021 and 2023, ransomware and data encryption assaults against government and vital infrastructure sectors worldwide have been linked to cybercriminals suspected of having ties to North Korea and China. Sources were provided with a combined analysis by cybersecurity firms SentinelOne and Recorded Future, which links certain operations to ChamelGang, also known as CamoFei, and overlaps with behaviors that were previously attributed to state-sponsored groups in China and North Korea. This includes the 2022 CatB ransomware assaults by ChamelGang against the Brazilian Presidency and the All India Institute of Medical Sciences (AIIMS), as well as attacks against an East Asian government and an Indian subcontinent aviation company.
Security experts Aleksandar Milenkoski and Julian-Ferdinand Vögele noted that “threat actors in the cyber espionage ecosystem are increasingly using ransomware as a final stage in their operations for financial gain, disruption, distraction, or removal of evidence.” In this particular context, ransomware assaults function as a tool for sabotage as well as a way for threat actors to hide their activities by erasing artifacts that would otherwise notify defenders of their presence. ChamelGang was first identified by Positive Technologies in 2021. Taiwanese cybersecurity company TeamT5 evaluated the organization as having a China connection and a variety of objectives, such as information operations, intelligence collection, data theft, financial gain, and denial-of-service (DoS) attacks.
The ransomware strain known as CatB, which has been used in attacks targeting Brazil and India, is one of the many tools that ChamelGang is known to possess. Commonalities in the ransom note, the format of the contact email address, the address of the cryptocurrency wallet, and the filename extension of encrypted files can all be used to identify this strain of ransomware. Attackers have used a modified version of BeaconLoader in 2023 to distribute Cobalt Strike, which is used for post-exploitation tasks like extorting the NTDS.dit database file and doing extra tool deployments for reconnaissance. Furthermore, additional Chinese threat groups like REF2924 and Storm Cloud have been connected to ChamelGang’s bespoke malware, which includes DoorMe and MGDrive (with its macOS equivalent named Gimmick), implying a “digital quartermaster supplying distinct operational groups with malware.
The other group of intrusions targets up to 37 firms, mostly in the manufacturing sector in the United States, and uses Microsoft BitLocker and Jetico BestCrypt in hacks that impact several industry sectors in North America, South America, and Europe. SentinelOne and Recorded Future claim that the tools used, such as the China Chopper web shell and the DTrack backdoor, are compatible with the tactics attributed to the Chinese hacker outfit APT41 and the North Korean actor Andariel. According to Milenkoski, “the activities we observed overlap with past intrusions involving artifacts associated with suspected Chinese and North Korean APT clusters.” He also said that visibility restrictions probably made it difficult to identify the harmful artifacts themselves.
“We found no evidence of tools or other intrusion artifacts associated with suspected Chinese or North Korean APT groups being present concurrently in the same targeted environments based on our investigations and review of prior research.” SentinelOne added that it cannot completely rule out the potential that these actions are a component of a larger cybercrime plan, especially given the fact that nation-state actors have occasionally carried out financially motivated attacks.
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
