Chinese Cyber Spies Turn to Ransomware to Obscure Their Tracks
Cybersecurity experts have linked ransomware attacks to groups engaged in espionage, specifically identifying a group believed to be from China known as ChamelGang. They reportedly use the CatB ransomware to complicate tracing the source of attacks, distract security teams, or as an additional method to gain financially while they steal sensitive data.
ChamelGang’s Ransomware Strategy
ChamelGang, also referred to as CamoFei, has focused its efforts on government and critical infrastructure sectors from 2021 to 2023. Their approach includes sophisticated methods to infiltrate networks, scout for valuable information, and move stealthily across the system to extract data.
One notable incident occurred in November 2022 when they targeted Brazil’s Presidential offices, affecting 192 computers. The group used ransomware to encrypt files, leaving ransom notes embedded within, and demanded payment via Bitcoin. Initially, these attacks were wrongly attributed to another malware, but further investigations pointed back to ChamelGang.
Furthermore, in a separate instance late in 2022, they disrupted operations at the All India Institute Of Medical Sciences (AIIMS), highlighting the severe implications of their attacks on healthcare services.
Variations in Ransomware Use
Aside from CatB, there has been a noticeable pattern of using Jetico BestCrypt and Microsoft BitLocker, targeting different types of technology environments. This varied approach affected 37 organizations primarily in North America, with some cases in South America and Europe. This method also showed potential links to other espionage activities believed to be connected to Chinese and North Korean groups.
These findings suggest that using ransomware can serve dual purposes for cyber spies: it can mislead analysts about the attackers’ true intentions and mask the espionage activities as mere cybercrime.
Why Use Ransomware?
Incorporating ransomware into cyberespionage provides strategic advantages. It not only causes immediate disruption but also creates confusion about the nature of the attack. This confusion can lead to misattribution, which benefits the attackers by hiding their real goals and prolonging their presence within the compromised networks.
The shift towards these tactics marks a significant evolution in cyber espionage strategies, indicating a blend of traditional hacking with ransomware attacks to effectively cover their tracks and achieve broader objectives.
For more insights on cybersecurity and protecting against ransomware, visit our Cybersecurity Hub.
To understand the broader implications of ransomware on global security, read this detailed analysis by The Global Security Institute.