Ransomware in Espionage Blurring Lines Between Cybercrime and State Espionage

Concerning escalations in ransomware usage by cyber-espionage groups are spotlighted in two clusters of activity reported by SentinelOne researchers. The first cluster is associated with ChamelGang (aka. CamoFei), a group suspected of Chinese state sponsorship, known for deploying ransomware alongside their espionage operations to mask activities aimed at fulfilling end-goals "beyond intelligence collection, such as PII theft and financial gain," according to SentinelOne. The second cluster involves the use of commercially available encryption tools like BestCrypt and BitLocker. While not directly attributed, this suggests a pattern that could be leveraged by state-backed actors to obscure their espionage activities under the guise of financial cybercrime. SentinelOne's reservations about attribution are highlighted, as researchers note the implications: "Misattributing cyberespionage activities as cybercriminal operations can result in strategic repercussions, especially in the context of attacks on government or critical infrastructure organizations. Insufficient information sharing between local law enforcement organizations that typically handle ransomware cases and intelligence agencies could result in missed intelligence opportunities, inadequate risk assessment, and diminished situational awareness." The utilization of ransomware enables threat actors to cause disruption, obtain leverage for financial gain, create misdirection to complicate or hinder attribution efforts, and purge evidence.

ChamelGang's operations, active from 2021 to 2023, target a range of sectors in East Asia, Russia, the United States, Taiwan, Japan, and South America, specifically Brazil. The associated impacts on business verticals include sectors such as aviation, critical infrastructure, government, healthcare, and manufacturing. The group's operations have been notably aggressive toward high-profile targets like the Presidency of Brazil and the All India Institute of Medical Sciences (AIIMS) in 2022, utilizing tactics such as ransomware to obfuscate their espionage efforts. The Presidency of Brazil and AIIMS faced significant disruptions in 2022, where ransomware was employed as a smokescreen for possibly deeper espionage activities. Operational impacts were particularly severe for AIIMS as "on November 23, 2022, when staff were unable to access the eHospital platform, which provides digital patient-centric services nationwide, including appointment scheduling and access to lab reports," according to SentinelOne.

The motivations of ChamelGang appear aligned with larger geopolitical goals, particularly emphasized by their focus on regions fraught with political tensions and competitive technological landscapes. "Chinese activities in East Asia and the Indian subcontinent are likely driven by strategic interests in these neighboring regions for several reasons, including regional rivalries, geopolitical tensions, exerting influence, and maintaining technological and economic competitiveness," reflects the broad strategic context of ChamelGang's operations as noted by SentinelOne. This approach suggests a nuanced understanding of geopolitical dynamics, which they leverage to maximize the impact of their cyber espionage activities. The severity and breadth of ChamelGang's cyber operations signify a well-resourced and strategically focused group capable of orchestrating widespread disruptions. By targeting sectors that are pillars of national infrastructure—aviation, healthcare, and government—the group not only achieves data theft and financial gains but potentially degrades trust in these critical services. The association of ChamelGang with tools like CatB ransomware and BeaconLoader was made based on assessments from security organizations Positive Technologies and TeamT5. ChamelGang's ransomware attacks, particularly using CatB, often involve deployment strategies such as DLL hijacking paired with the msdtc.exe process, dropped malicious DLLs, use of Cobalt Strike evident from its named pipe configuration, and exfiltrating the Active directory database - NTDS.dit. The use of ransomware was leveraged sparingly as it was not utilized in every intrusion.

Conversely, the activities involving BestCrypt and BitLocker paint a picture of widespread disruption, with SentinelOne documenting 37 cases predominantly in the United States and impacting entities in Canada, the UK, Brazil, and Trinidad and Tobago. The manufacturing sector is by far the hardest hit, suggesting a strategic choice to undermine industries integral to national infrastructure. But the intrusions also extended into education, finance, healthcare, and legal sectors. Observing the varying speeds of these intrusions, SentinelOne noted that the "average attack lifecycle length was approximately 9 days, with some attacks being conducted in their entirety over several hours."

The technical execution of these attacks involved exploiting vulnerabilities such as ProxyLogon to deploy the China Chopper webshell, facilitating initial access and persistence within targeted networks. The attackers then engaged in extensive reconnaissance using native Windows utilities like net, ipconfig, whoami, and dsquery, and escalated privileges using tools like procdump and mshta to execute and download malicious payloads. Lateral movement was predominantly achieved through RDP, enabling the spread of ransomware across the network. Inhibiting system defenses include disabling the Windows firewall; interestingly, protections for security monitoring software were left untampered. Operational techniques included deploying batch scripts and using command-line tools like xcopy and copy to disseminate scripts and ransomware payloads throughout the compromised networks. The complexity and scale of these operations suggest that they could be part of a larger cybercriminal scheme, potentially linked to known APT groups, given the overlapping TTPs and the sophisticated nature of the tools employed. "While attribution for this secondary cluster remains unclear, overlaps exist with past intrusions that involve artifacts associated with suspected Chinese and North Korean APT clusters."

The implications of these findings by SentinelOne are profound, underscoring the necessity for enhanced collaboration between intelligence agencies and cybersecurity professionals. The blending of cyber-espionage with ransomware tactics not only represents a shift in operational methodologies by state-aligned actors but also challenges existing defense paradigms. It's increasingly clear that distinguishing between state-sponsored and criminally motivated cyber activities requires a nuanced understanding of TTPs and the geopolitical context—highlighting the critical role of threat intelligence in cybersecurity strategies. -