Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware
Summary:
Suspected Chinese and North Korean threat actors have been linked to ransomware and data encryption attacks targeting global government and critical infrastructure sectors between 2021 and 2023, according to a joint report by cybersecurity firms SentinelOne and Recorded Future shared with The Hacker News. Two distinct clusters of activity have been identified: one associated with ChamelGang, and another overlapping with Chinese and North Korean state-sponsored groups.
ChamelGang, first documented by Positive Technologies in 2021, is believed to be a China-based group with diverse motivations including intelligence gathering, data theft, financial gain, denial-of-service (DoS) attacks, and information operations. The group has targeted notable institutions such as the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using CatB ransomware, as well as a government entity in East Asia and an aviation organization in the Indian subcontinent. Their extensive toolkit includes BeaconLoader, used to deliver Cobalt Strike for reconnaissance and post-exploitation activities, as well as backdoors like AukDoor and DoorMe, and the CatB ransomware. ChamelGang’s custom malware, including DoorMe and MGDrive (with its macOS variant called Gimmick), has connections to other Chinese threat groups like REF2924 and Storm Cloud, indicating the presence of a "digital quartermaster" supplying various groups with malware.
The second cluster involves the use of Jetico BestCrypt and Microsoft BitLocker in cyber attacks affecting various industry verticals in North America, South America, and Europe. As many as 37 organizations, predominantly in the U.S. manufacturing sector, have been targeted. This cluster’s tactics are consistent with those attributed to Chinese group APT41, known for using the China Chopper web shell, and North Korean actor Andariel, known for using the DTrack backdoor.
Security Officer Comments:
Cyber espionage operations disguised as ransomware activities allow adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities. This dual use of ransomware serves multiple purposes: financial gain, disruption, distraction, and misattribution, as well as evidence removal by destroying artifacts that could alert defenders to their presence. This approach blurs the lines between cybercrime and cyber espionage, providing adversaries with strategic and operational advantages while complicating attribution and response efforts for defenders.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
https://thehackernews.com/2024/06/chinese-and-n-korean-hackers-target.html
Suspected Chinese and North Korean threat actors have been linked to ransomware and data encryption attacks targeting global government and critical infrastructure sectors between 2021 and 2023, according to a joint report by cybersecurity firms SentinelOne and Recorded Future shared with The Hacker News. Two distinct clusters of activity have been identified: one associated with ChamelGang, and another overlapping with Chinese and North Korean state-sponsored groups.
ChamelGang, first documented by Positive Technologies in 2021, is believed to be a China-based group with diverse motivations including intelligence gathering, data theft, financial gain, denial-of-service (DoS) attacks, and information operations. The group has targeted notable institutions such as the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using CatB ransomware, as well as a government entity in East Asia and an aviation organization in the Indian subcontinent. Their extensive toolkit includes BeaconLoader, used to deliver Cobalt Strike for reconnaissance and post-exploitation activities, as well as backdoors like AukDoor and DoorMe, and the CatB ransomware. ChamelGang’s custom malware, including DoorMe and MGDrive (with its macOS variant called Gimmick), has connections to other Chinese threat groups like REF2924 and Storm Cloud, indicating the presence of a "digital quartermaster" supplying various groups with malware.
The second cluster involves the use of Jetico BestCrypt and Microsoft BitLocker in cyber attacks affecting various industry verticals in North America, South America, and Europe. As many as 37 organizations, predominantly in the U.S. manufacturing sector, have been targeted. This cluster’s tactics are consistent with those attributed to Chinese group APT41, known for using the China Chopper web shell, and North Korean actor Andariel, known for using the DTrack backdoor.
Security Officer Comments:
Cyber espionage operations disguised as ransomware activities allow adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities. This dual use of ransomware serves multiple purposes: financial gain, disruption, distraction, and misattribution, as well as evidence removal by destroying artifacts that could alert defenders to their presence. This approach blurs the lines between cybercrime and cyber espionage, providing adversaries with strategic and operational advantages while complicating attribution and response efforts for defenders.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2024/06/chinese-and-n-korean-hackers-target.html