A likely China-backed advanced persistent threat group has been systematically using ransomware to disguise its relatively prolific cyber-espionage operations for the past three years, at least.
The threat actor, who researchers at SentinelOne are tracking as ChamelGang, has recently targeted critical infrastructure organizations in East Asia and India.
Ransomware as a Distraction Some of ChamelGang's victims in that region include an aviation organization in the Indian subcontinent and the All India Institute of Medical Sciences.
The group's previous victims include government and private sector organizations - including those in critical infrastructure sectors - in the US, Russia, Taiwan, and Japan.
According to SentinelOne, what makes ChamelGang's operations noteworthy is its regular use of a ransomware tool called CatB to distract from and conceal its cyber-espionage focus.
Significantly, ransomware also gives cyber-espionage actors a way to conveniently cover their tracks by destroying artifacts and evidence that would have pointed to their data theft activities, SentineOne said.
ChamelGang is not the first China-nexus cyberespionage player to use ransomware in this manner.
Other examples include APT41 - an umbrella group of multiple smaller subgroups - and Bronze Starlight, whose victims include organizations in the US and multiple other countries.
In ChamelGang's case, the threat actor has typically tended to deploy its ransomware toward the end of its missions where covertness is no longer an operational objective, Milenkoski says.
Data Espionage & Theft ChamelGang is a threat actor that others such as Positive Technologies and Team5 have previously identified as focused on data theft and cyber espionage.
Positive Technologies reported on the group's activities in September 2021 following a breach investigation at an energy company where the threat actor disguised its malware and infrastructure to look like legitimate Microsoft, Google, IBM, TrendMicro, and McAfee services.
Team5, which tracks the group as Camo Fei, has assessed the threat actor as having been active since at least 2019 and using a variety of malware tools in its campaigns, including Cobalt Strike, DoorMe, IISBeacon, MGDrive, and the CatB ransomware tool.
Team5's research showed the threat actor is primarily focused on targets in the government sector and, to a lesser extent, the healthcare, telecommunications, energy, water, and high-tech sectors as well.
SentinelOne itself has assessed ChamelGang's current focus on East Asia and the Indian subcontinent as resulting from geopolitical tensions, regional rivalries and a race for technological and economic superiority.
The company's investigations showed the group deployed CatB ransomware in its 2022 attacks on India's AIIMS and against the Brazilian government after using tools such as BeaconLoader and Cobalt Strike during earlier phases of the intrusion.
The interest of threat actors in conducting both cyber espionage and financially motivated activities to actually collect a ransom depends on their objectives when targeting an organization, Milenkoski says.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 26 Jun 2024 19:10:09 +0000