Between 2021 and 2023, ransomware and data encryption attacks targeting government and critical infrastructure sectors across the world have been linked to threat actors with suspected ties to China and North Korea.
While one group of activity is associated with the ChamelGang (aka CamoFei), another cluster overlaps with activity previously linked to Chinese and North Korean state-sponsored groups, according to cybersecurity firms SentinelOne and Recorded Future in a joint report shared with The Hacker News.
ChamelGang’s targets include the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using CatB ransomware, as well as a government entity in East Asia and an aviation organization in the Indian subcontinent.
Security researchers Aleksandar Milenkoski and Julian-Ferdinand Vögele noted that cyber espionage threat actors are increasingly using ransomware for financial gain, disruption, distraction, misattribution, or removal of evidence.
Ransomware attacks not only sabotage but also help threat actors cover their tracks by destroying artifacts that could expose their presence.
ChamelGang, initially documented by Positive Technologies in 2021, is believed to be a China-focused group engaging in intelligence gathering, data theft, financial gain, denial-of-service (DoS) attacks, and information operations, according to Taiwanese cybersecurity firm TeamT5.
ChamelGang is known to use various tools, including BeaconLoader, Cobalt Strike, backdoors like AukDoor and DoorMe, and the CatB ransomware strain utilized in attacks on Brazil and India.
Attacks in 2023 have also leveraged an updated version of BeaconLoader to deliver Cobalt Strike for reconnaissance and post-exploitation activities.
Furthermore, custom malware like DoorMe and MGDrive associated with ChamelGang have been linked to other Chinese threat groups such as REF2924 and Storm Cloud.
Another set of intrusions involves the use of Jetico BestCrypt and Microsoft BitLocker in cyber attacks impacting various industry verticals in North America, South America, and Europe, targeting as many as 37 organizations, mainly in the U.S. manufacturing sector.
The tactics observed align with those attributed to Chinese hacking group APT41 and North Korean actor Andariel due to the presence of tools like the China Chopper web shell and the DTrack backdoor.
Researchers highlighted the use of ransomware by cyber espionage groups to claim plausible deniability by attributing actions to independent cybercriminals rather than state-sponsored entities.
This blurs the lines between cybercrime and cyber espionage, providing adversaries with strategic and operational advantages.
