Secureworks reveals new information on BRONZE STARLIGHT threat group
New research from Secureworks has uncovered new information on the Chinese threat group BRONZE STARLIGHT and how they are using targeted ransomware to initiate complicated attacks.
The group has been active since early 2021, and while it was initially believed their attacks were for financial gain, Secureworks CTU believes this could be a smokescreen for more complex cyber espionage.
BRONZE STARLIGHT operates by compromising networks by exploiting vulnerabilities in network perimeter devices, including known vulnerabilities for which patches are available.
They also deploy HUI Loader to decrypt and execute a Cobalt Strike Beacon for command and control, then deploy ransomware and exfiltrate sensitive data from a victim's environment. Some of the ransomware used by the group includes LockFile, AtomSilo, Rook, Night Sky and Pandora.
Interestingly, Secureworks CTU researchers have only observed the HUI Loader being used by threat groups that are likely based in China. This raises the interesting possibility of collaboration between BRONZE STARLIGHT and other likely state-sponsored threat groups in China, but this link is currently unconfirmed.
The research goes on to say that the operational cadence, victimology and potential links to other Chinese threat groups could suggest LockFile, AtomSilo, Rook, Night Sky, and Pandora are being deployed as a smokescreen for espionage.
When looking at timelines for each ransomware family, it suggests each one was developed, deployed and then cast aside sequentially, emphasising a distinct pattern. In each case, the ransomware tended to target a small number of organisations over a short period of time before ceasing.
As of today, BRONZE STARLIGHT has operated LockFile as a traditional ransomware scheme. Pandora is the only ransomware with a leak site as of April 14 2022, listing five victims. Two earlier victims were removed. As of mid-April, a total of 21 victims were recorded across AtomSilo, Rook, Night Sky and Pandora sites.
It was emphasised that these kinds of behaviours are extremely viable for groups, with an estimate that 75% of those mentioned above would be of interest to Chinese government-sponsored groups focused on the victims' geographic location and industry verticals.
Previous victims include a pharmaceutical company in Brazil and the US, a US-based media organisation and electronic component designers and manufacturers in Lithuania and Japan.
During a January 2022 Secureworks IR engagement, it was revealed that BRONZE STARLIGHT had compromised a server running ManageEngine ADSelfService Plus and deployed HUI Loader with a Cobalt Strike Beacon. This shows a distinct pattern of evolution.
CTU researchers also observed the Chinese BRONZE UNIVERSITY threat group active on the same network, with overlapping timeframes. Given BRONZE STARLIGHT did not deploy ransomware against the organisation, a key target for Chinese cyberespionage activity, one possibility is that there was some deconfliction between the threat groups post intrusion.
Secureworks finishes by saying that BRONZE STARLIGHT is likely using ransomware during incidents to destroy evidence, distract investigators and exfiltrate data.