SentinelLabs report exposes ransomware strategy of APT groups
SentinelLabs, the research division of cybersecurity firm SentinelOne, has published a new report that reveals the strategic use of ransomware by cyberespionage actors. The report highlights how these groups are employing ransomware not only for financial gain but also for disruption, distraction, and misattribution, which complicates the traditional categorisation of cybercrimes.
The research provides an overview of notable intrusions from the past three years, attributing many to a Chinese cyberespionage actor known as ChamelGang. These intrusions, however, remain publicly unattributed. SentinelLabs collaborated with Recorded Future to track two distinct activity clusters targeting government and critical infrastructure sectors worldwide between 2021 and 2023.
According to the report, one activity cluster is linked to the suspected Chinese Advanced Persistent Threat (APT) group ChamelGang, also known as CamoFei. The second cluster bears resemblance to previous intrusions involving artifacts associated with suspected Chinese and North Korean APT groups. In both clusters, the use of ransomware or data encryption tools is a common element.
The report states, "Ransomware as part of cyber espionage activities may result in their misattribution as financially motivated operations. To further misguide attribution efforts, APT groups may purchase ransomware shared by multiple cybercriminal actors." The report further details how ransomware provides cover for the true motive behind these operations, which is primarily data exfiltration. This is also evident in ransomware actors adopting a multi-extortion model.
One of the report's key findings is that cyberespionage operations disguised as ransomware attacks offer adversarial countries a means of plausible deniability. By attributing these actions to independent cybercriminals rather than state-sponsored entities, nations can avoid direct blame. Misattributing cyberespionage activities can have substantial strategic repercussions, especially when attacks are aimed at government or critical infrastructure organisations. The report notes that siloed information sharing between local law enforcement agencies and intelligence bodies could result in missed intelligence opportunities and inadequate risk assessments.
From an operational perspective, ransomware provides several advantages to APT groups. Its data-destructive nature can obliterate intrusion and attribution-relevant artifacts, making it easier for perpetrators to cover their tracks. The urgent need to restore affected data and systems can distract defence teams, allowing further malicious activities to go unnoticed.
ChamelGang has been particularly active, targeting significant institutions such as the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using the CatB ransomware. The report indicates that ChamelGang also targeted a governmental organisation in East Asia and critical infrastructure sectors, including an aviation organisation in the Indian subcontinent. In another cluster of intrusions, off-the-shelf tools like BestCrypt and BitLocker were used, affecting various industries in North America, South America, and Europe, particularly the US manufacturing sector.
The lines between cybercrime and cyberespionage are becoming increasingly blurred, as highlighted by the operational methods of APT groups like ChamelGang and APT41. Advanced Persistent Threat (APT) actors using ransomware are not exclusively financially motivated, which complicates efforts to categorise these activities adequately. SentinelLabs emphasises that the continuous evolution of cyberespionage tactics demands sustained awareness and vigilance.
In a notable recent event, the US government raised concerns about a Chinese threat actor conducting pre-positioning attacks against US critical infrastructure, potentially impairing US preparedness in the event of military conflict. Simultaneously, a Chinese organisation labelled the cyberespionage actor Volt Typhoon as a ransomware group, a claim disputed by researchers. SentinelLabs interprets this as an active attempt by China to portray its cyber espionage operations as cybercriminal in nature.
The report concludes by underscoring the importance of consistent information sharing and collaboration between law enforcement and intelligence agencies when dealing with ransomware intrusions. Efficient exchange of data and understanding the broader context of these incidents are crucial for accurately identifying perpetrators, motives, and objectives. SentinelLabs continues to monitor cyberespionage groups that challenge traditional categorisation practices.