A likely China-backed advanced persistent threat (APT) group has been systematically using ransomware as a means to disguise its relatively prolific cyberespionage operations for the past three years, at least.

The threat actor, whom researchers at SentinelOne are tracking as ChamelGang (aka CamoFei), has recently targeted critical infrastructure organizations in East Asia and India.  

Ransomware as a Distraction

Some of ChamelGang’s victims in that region include an aviation organization in the Indian subcontinent and the All India Institute of Medical Sciences (AIIMS). But the group’s previous victims include government and private sector organizations�—including those in critical infrastructure sectors—in the US, Russia, Taiwan and Japan.

According to SentinelOne, what makes ChamelGang’s operations noteworthy is its regular use of a ransomware tool called CatB to distract from and to conceal its cyberespionage focus.

“Cyberespionage operations disguised as ransomware activities provide an opportunity for adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities,” the security vendor said in a report shared with Dark Reading. “Furthermore, misattributing cyberespionage activities as cybercriminal operations can result in strategic repercussions, especially in the context of attacks on government or critical infrastructure organizations.”

Significantly, ransomware also gives cyberespionage actors a way to conveniently cover their tracks by destroying artifacts and evidence that would have pointed to their data theft activities, SentineOne said.

ChamelGang is not the first China-nexus cyberespionage player to use ransomware in this manner.  Other examples include APT41—an umbrella group of multiple smaller subgroups—and Bronze Starlight, whose victims include organizations in the US and multiple other countries.

“Current and historical evidence suggests that cyberespionage clusters use ransomware primarily for disruption or financial gain,” says Aleksandar Milenkoski, senior threat researcher at SentinelOne’s SentinelLabs.

In ChamelGang’s case, the threat actor has typically tended to deploy its ransomware towards the end of its missions where covertness is no longer an operational objective, Milenkoski says. Ransomware can be used as a cover for exfiltrating intelligence-relevant data and deflecting blame, so victims of a ransomware attack should not ignore this aspect when responding to an attack, he says: “Depending on the potential value of the targeted organization to adversaries from an intelligence perspective, these dimensions of ransomware activities should be considered when assessing the situation.”

Data Espionage & Theft

ChamelGang is a threat actor that others such as Positive Technologies and Team5 have previously identified as focused on data theft and cyberespionage. Positive Technologies reported on the group’s activities in September 2021 following a breach investigation at an energy company where the threat actor disguised its malware and infrastructure to look like legitimate Microsoft, Google, IBM, TrendMicro and McAfee services.

Team5, which tracks the group as Camo Fei, has assessed the threat actor as having been active since at least 2019 and using a variety of malware tools in its campaigns including Cobalt Strike, DoorMe, IISBeacon, MGDrive and the CatB ransomware tool. Team5’s research showed the threat actor is primarily focused on targets in the government sector and, to a lesser extent, the healthcare, telecommunications sector, energy, water and high-tech sectors as well.

SentinelOne itself has assessed ChamelGang’s current focus on East Asia and the Indian subcontinent as resulting from geopolitical tensions, regional rivalries and a race for technological and economic superiority. The company’s investigations showed the group deployed CatB ransomware in its 2022 attacks on India’s AIIMS and against the Brazilian government after using tools such as BeaconLoader and Cobalt Strike during earlier phases of the intrusion.

The interest of threat actors in conducting both cyberespionage and financially motivated activities to actually collect a ransom depends on their objectives when targeting an organization, Milenkosi says. “Historically, a common case where threat actors have shown no interest in collecting ransom is when deploying ransomware for disruptive purposes,” he says. “But we note that interest in ransom payment may represent a cover by itself,” he adds.

Source: www.darkreading.com