Cybercriminals suspected of having links to China and North Korea have been connected to ransomware and data encryption attacks on government and critical infrastructure sectors worldwide between 2021 and 2023.According to a joint report by cybersecurity firms SentinelOne and Recorded Future shared with The Hacker News, one set of activities has been linked to ChamelGang (also known as CamoFei), while another overlaps with actions previously attributed to Chinese and North Korean state-sponsored groups.
This includes ChamelGang’s 2022 attacks on the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil using CatB ransomware, as well as targeting a government entity in East Asia and an aviation organization in the Indian subcontinent. “Threat actors in the cyber espionage ecosystem are increasingly using ransomware as a final stage in their operations for financial gain, disruption, distraction, misattribution, or removal of evidence,” stated security researchers Aleksandar Milenkoski and Julian-Ferdinand Vögele.
Ransomware attacks in this context not only serve as a means of sabotage but also enable threat actors to cover their tracks by destroying artifacts that could otherwise alert defenders to their presence. First documented by Positive Technologies in 2021, ChamelGang is assessed by Taiwanese cybersecurity firm TeamT5 as a China-nexus group with varied motivations including intelligence gathering, data theft, financial gain, denial-of-service (DoS) attacks, and information operations.
ChamelGang is known to possess a wide range of tools, including BeaconLoader, Cobalt Strike, backdoors like AukDoor and DoorMe, and a ransomware strain known as CatB, which has been used in attacks targeting Brazil and India, identified through commonalities in the ransom note, the format of the contact email address, the cryptocurrency wallet address, and the filename extension of encrypted files. In 2023, attacks have leveraged an updated version of BeaconLoader to deliver Cobalt Strike for reconnaissance and post-exploitation activities such as deploying additional tools and exfiltrating the NTDS.dit database file. Additionally, ChamelGang’s custom malware, including DoorMe and MGDrive (with its macOS variant called Gimmick), has been linked to other Chinese threat groups like REF2924 and Storm Cloud, suggesting a “digital quartermaster supplying distinct operational groups with malware.”
The other set of intrusions involves the use of Jetico BestCrypt and Microsoft BitLocker in cyberattacks affecting various industry sectors in North America, South America, and Europe, with as many as 37 organizations, predominantly in the U.S. manufacturing sector, being targeted. According to SentinelOne and Recorded Future, the tactics observed are consistent with those attributed to a Chinese hacking group known as APT41 and a North Korean actor known as Andariel, due to the presence of tools like the China Chopper web shell and a backdoor known as DTrack. “The activities we observed overlap with past intrusions involving artifacts associated with suspected Chinese and North Korean APT clusters,” Milenkoski told The Hacker News, adding that visibility limitations likely prevented detecting the malicious artifacts themselves.
“Our investigations and review of previous research did not reveal evidence of tools or other intrusion artifacts associated with suspected Chinese or North Korean APT groups being present concurrently in the same targeted environments.” SentinelOne further noted it cannot rule out the possibility that these activities are part of a broader cybercriminal scheme, particularly since nation-state actors have also engaged in financially motivated attacks from time to time.
, while another overlaps with actions previously attributed to Chinese and North Korean state-sponsored groups.){kind=link}