A Chinese cyberespionage group and two more possibly from China and North Korea are using ransomware in their attacks to either add financial gains to their efforts or to cover their tracks by convincing victims and cybersecurity experts that the intrusions were something other than spy campaigns.

Researchers with SentinelOne have been tracking two clusters of attacks on governments and the critical infrastructure sector around the world between 2021 and 2023, attributing some of them to ChamelGang, a Chinese advanced persistent threat (APT) group also known as CamoFei that last year launched attacks on a government agency in East Asia and an aviation organization in India.

Other attacks during those two years targeted 37 organizations, most of which were in the United States, with others in Europe and South America. Most of the incidents were aimed at the manufacturing sector, though other targets included the health care, finance, legal, and education industries. The researchers didn’t directly attribute these attacks to threat groups, though they said some of the tactics used mirror those used by APT 41, a Chinese APT cluster, and Andariel, a North Korean APT cluster.

In both cases, the attackers showed what Alexsandar Milenkoski, a threat intelligence researcher with SentineOne’s SentinelLabs group, and Julian-Ferdinand Vogele, a researcher with Recorded Future, called an “increasingly disturbing trend” of using ransomware in the late stages of their operations.

“The use of ransomware as part of cyberespionage activities may result in their misattribution as financially motivated operations,” efforts, Milenkoski and Vogele wrote in a 28-page report. “To further misguide attribution efforts, APT groups may purchase ransomware shared by multiple cybercriminal actors.”

Ransomware and Espionage

They added that “ransomware also provides cover for the true motive behind the central component of espionage operations, data exfiltration, which is also carried out by ransomware actors that follow a multi-extortion model.”

Also, disguising cyberespionage as ransomware gives adversarial countries that are running the operations plausible deniability by convincing researchers to attribute the actions to financially motivated groups rather than state-sponsored groups. Both China and North Korea, along with Russia and Iran, are well known for running government-supported cyber-spying operations.

ChamelGang has a history of attacking critical sectors in countries like Russian aviation companies and government and private organizations in other countries, including the United States, Taiwan, and Japan. The tactics and techniques, as well as publicly available tools, used in the 2023 attacks in East Asia and India are the same that have been seen in previous ChamelGang incidents, the researchers wrote. In addition, they also involved BeaconLoader, the Chinese group’s custom malware that deploys Cobalt Strike.

The researchers also suspect that ChamelGang was responsible for attacks on the presidency of Brazil and the All India Institute of Medical Sciences, a Indian health care organization, in late 2022. The incidents were called ransomware attacks and no attribution was announced, but SentinelOne and Recorded Future found “strong indicators” that the organizations were attacked using ChamelGang’s CatB ransomware.

ChamelGang also is known for its cyberespionage campaigns, with Milenkoski and Vogele noting China’s interest in activities in neighboring East Asia and India and its soft power ambitions in South America.

For the other cluster of attacks, the intrusions into the three dozen organizations in the United States, Europe, and South America included overlaps of technologies used in other incidents in 2020, both in the custom tools used and the off-the-shelf products, like BestCrypt – a disk encryption app for Windows, Linux, macOS, and Android – and BitLocker, an encryption feature in Windows. In addition, file and directory naming and the choice of victims were alike.

A Growing Threat

While the use of ransomware in the recent cyberespionage campaigns is troubling, it’s been done in the past by Chinese groups, Milenkoski and Vogele wrote. APT41 has used the ransomware offered in the Encryptor ransomware-as-a-service (RaaS) when targeting the video gaming industry and Bronze Starlight has ransomware in its playbook, though the group’s primary goal is spying rather than financial gain.

“The use of ransomware by cyberespionage threat groups blurs the lines between cybercrime and
cyberespionage, providing adversaries with advantages from both strategic and operational perspectives,” they wrote. “The operational methods of APT clusters, such as ChamelGang, the APT41 umbrella, and the recently discovered Moonstone Sleet, highlight that ransomware intrusions are conducted by threat actors with motivations that are not exclusive to financial gain.”

Microsoft Threat Intelligence wrote about Moonstone Sleet in May, noting that the North Korean threat group has both espionage and financial motives, which fits in with the country’s use of cyberattacks to not only gather information but also to steal money that can be used for its weapons programs.

The researchers pointed to a situation uncovered in April that points to the Chinese government’s use of ransomware as a way to deflect attention from its cyber-spying activities. U.S. agencies like CISA and the FBI sent out an alert about Chinese threat group Volt Typhoon prepositioning itself in systems and networks of critical infrastructure entities in the United States essentially lying in wait to attack if tensions between the two countries erupted.

The same month, a Chinese organization in a report referred to Volt Typhoon as a ransomware group.

“We find this claim unpersuasive and at odds with available evidence, seeing it as an active attempt by China to portray its cyberespionage operations as cybercriminal in nature,” Milenkoski and Vogele wrote. “This attribution has understandably led to speculation within the threat intelligence community whether it can be interpreted as China admitting to seeing value in using ransomware activity to conceal its cyberespionage operations.”