A Chinese-based threat actor has been launching ransomware attacks against organizations in the U.S. and other countries, but evidence suggests that the ransomware is being used by the actor as a “smokescreen” to disguise the true espionage motives behind its campaigns.
The Bronze Starlight actor (also called DEV-0401 by Microsoft), active since early 2021, has been known to leverage a previously disclosed, custom DLL loader called HUI Loader in order to deploy Cobalt Strike and PlugX payloads for command and control as part of its attacks. Over the past year, the threat actor has relied on a lineup of five ransomware families – LockFile, AtomSilo, Rook, Night Sky and Pandora – and posted 21 victims to name-and-shame leak sites as of mid-April.
However, despite this ransomware activity, researchers believe that the threat actor’s end goal in these campaigns is stealing intellectual property as opposed to financial gain, and they estimated that 75 percent of the known victims would be of interest to Chinese government-sponsored groups focused on espionage based on the victims’ geographic locations and industry verticals. Over the past year, researchers have observed the group targeting pharmaceutical companies in Brazil and the U.S., electronic component designers and manufacturers in Lithuania and Japan, as well as a U.S. law firm and U.S.-based media organization with offices in China and Hong Kong.
“The victimology, short lifespan of each ransomware family, and access to malware used by government-sponsored threat groups suggest that Bronze Starlight’s main motivation may be intellectual property theft or cyberespionage rather than financial gain,” said Secureworks’ Counter Threat Unit Research Team in a Thursday analysis. “The ransomware could distract incident responders from identifying the threat actors’ true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group.”
Researchers believe the threat group uses the ransomware in these incidents to exfiltrate and encrypt data in order to destroy any forensic evidence of espionage activities. The use of ransomware can also district investigators from the true nature of the activity, as they would instead be focused on helping the business return to normal operations. In addition to the victimology, the operational cadence of these five ransomware families do not appear to align with conventional financially motivated cybercrime operations, said researchers.
“In each case, the ransomware targets a small number of victims over a relatively brief period of time before it ceases operations, apparently permanently,” they said.