Beijing-backed attackers use ransomware as a decoy while they conduct espionage
They're not lying when they say 'We stole your data' – the lie is about which data they lifted
A state-sponsored Chinese threat actor has used ransomware as a distraction to help it conduct electronic espionage, according to security software vendor Secureworks.
The China-backed group, which Secureworks labels Bronze Starlight, has been active since mid-2021. It uses an HUI loader to install ransomware, such as LockFile, AtomSilo, Rook, Night Sky and Pandora. But cybersecurity firm Secureworks asserts that ransomware is probably just a distraction from the true intent: cyber espionage.
"The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the company argues.
- If you didn't store valuable data, ransomware would become impotent
- Chinese 'Aoqin Dragon' gang runs undetected ten-year espionage spree
- Beijing-backed baddies target unpatched networking kit to attack telcos
- China-linked Twisted Panda caught spying on Russian defense R&D
Secureworks offers its distraction theory after observing Bronze Starlight deploying different ransomware variants for short periods of time – unusual behaviour, as ransomware gangs generally don't change their attacks unless it's necessary to retain their potency. The company also feels that frequent changes to the gang's ransomwares are a deterrent to researchers, who have little reason to analyze code that's not in use.
But the gang has changed its methods at least once, moving from "traditional ransomware" in which infections lead to a demand for payments, to a name-and-shame model in which the gang threatens to expose data if it is not paid.
"It is possible that the change provided a more plausible means of exfiltrating data. The threat actors may also have decided that the public profile would be more effective as a distraction from their true operational objectives," opined Secureworks.
Secureworks believes the group has infected 21 victims, 75 percent of which would be of interest to Beijing. Among its haul are pharmaceutical companies, electronic component designers and manufacturers, a US law firm, and an aerospace and defense division of an Indian conglomerate. But there were also some seemingly random victims – like a small interior design company in Europe and two US real estate companies.
Even if none yielded info Beijing wanted, the evil genius of this plan is that the gang may still have made a profit if victims paid the ransom. ®