State-backed hackers using ransomware as bait for cyber-espionage attacks


A China-based Advanced Persistent Threat (APT) group may be using short-lived ransomware families as bait to obscure the real operational and tactical objectives behind its campaigns.

The cluster of activities, attributed to a hacking group called Bronze Starlight by Secureworks, includes post-breaking ransomware deployments such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0.

“The ransomware may distract first responders from identifying the threat actors’ true intentions and reduce the likelihood that the malicious activity is attributed to a government-sponsored Chinese threat group,” the researchers said. said in a new report. “In any case, the ransomware targets a small number of victims for a relatively short period of time before ceasing its activities, seemingly permanently.”

Bronze Starlight, active since mid-2021, is also tracked by Microsoft under the emerging threat cluster name DEV-0401, with the tech giant emphasizing its involvement in all stages of the ransomware attack cycle from first access to payload deployment.

Unlike other RaaS groups that buy access from initial access brokers (IABs) to enter a network, attacks performed by the actor are characterized by the use of unpatched vulnerabilities affecting Exchange Server , Zoho ManageEngine ADSelfService Plus, Atlassian Confluence (including the newly revealed bug), and Apache Log4j.

In less than a year, the group is said to have gone through as many as six different ransomware strains, such as LockFile (August 2021), Atom Silo (October), Rook (November), Night Sky (December), Pandora (February 2022). ), and most recently LockBit 2.0 (April).

In addition, similarities have been discovered between LockFile and Atom Silo and between Rook, Night Sky and Pandora – the latter three being derived from Babuk ransomware, whose source code was leaked in September 2021 – suggesting the work of a common actor.

“Because DEV-0401 maintains and regularly renames their own ransomware payloads, they can appear as different groups in payload-driven reports and evade detections and actions against them,” Microsoft said. noted last month.

Pandora’s move to LockBit 2.0 is also significant because “it may indicate that the shift in TTPs is simply the adoption of ransomware families not developed by Bronze Starlight itself,” Secureworks’ Marc Burnard told The Hacker News.

In gaining a foothold in a network, Bronze Starlight is known to rely on techniques such as the use of Cobalt Strike and Windows Management Instrumentation (WMI) for lateral movement, although the group has started replacing Cobalt Strike with the Sliver framework in their attacks this month.

Other observed crafts involve the use of HUI charger to launch next-stage encrypted payloads such as PlugX and Cobalt Strike Beacons, the latter of which is used to deliver the ransomware, but not before obtaining the privileged Domain Administrator credentials.

“Using HUI Loader to load Cobalt Strike Beacon, the Cobalt Strike Beacon configuration information, the C2 infrastructure and the code overlap suggests that the same threat group is associated with these five ransomware families,” the researchers explain. .

It is worth pointing out that both HUI Loader and PlugX, in addition to ShadowPad, are malware historically used by hostile collectives of Chinese nation states, confirming the possibility that Bronze Starlight is more focused on espionage than direct monetary benefits.

In addition, the victimization pattern spanning the different strains of ransomware shows that a majority of the targets will likely be more interesting for Chinese government-sponsored groups focused on long-term intelligence gathering.

The main victims include pharmaceutical companies in Brazil and the US, a US-based media organization with offices in China and Hong Kong, designers and manufacturers of electronic components in Lithuania and Japan, a law firm in the US and an aerospace and defense division. of an Indian conglomerate.

To this end, the ransomware operations not only provide a means of exfiltrating data as part of the dual extortion “name-and-shame” scheme, but also provide dual benefits in that it allows the threat actor to provide forensic evidence of their malicious activity and act as a distraction from data theft.

“It is likely that Bronze Starlight uses ransomware as a smokescreen rather than for financial gain, with the underlying motivation to steal intellectual property or commit espionage,” the researchers said.