Cybersecurity researchers have discovered a significant shift in tactics by Chinese-linked cyberespionage groups. They now increasingly employ ransomware as an endgame in their operations. This new strategy not only focuses on financial gain but also complicates the attribution of cyberattacks and adds layers of strategic ambiguity. According to SentinelLabs and Recorded Future, such techniques have been recently observed in incidents targeting high-profile institutions, including the Brazilian presidency and the All India Institute of Medical Sciences (AIIMS).
Ransomware as a Cover for Espionage
State-sponsored hackers have traditionally avoided ransomware, but the trend is changing. The recent report points out that ChamelGang, a suspected Chinese-linked group, was behind ransomware attacks previously thought to be financially motivated. This strategy enables these groups to mask espionage activities, presenting them instead as ordinary cybercrime incidents.
Strategic Implications and Misattribution
Misidentifying cyberespionage as simple ransomware attacks can have severe strategic consequences. Government and critical infrastructure targets are particularly vulnerable. The perceived financial motivation diverts attention from the real aim, which is often data or intelligence theft. This diversion aids attackers by complicating the task of linking the attacks to state-sponsored actors.
Destructive Potential of Ransomware
Ransomware locks files and demands a ransom for their release, but sometimes attackers don’t decrypt the data, leading to destructive outcomes. This tactic plays into the hands of cyberespionage groups, who can destroy evidence of their intrusion. The focus on restoring systems and data often leaves the real perpetrators unexposed.
The AIIMS attack in November 2022 was described as “cyber terrorism” by Delhi police, suspected to be the work of Chinese hackers. Government officials hinted at the possibility of a “hostile cross-border attack,” although attribution remains a complex issue. China’s representative in Washington, D.C., reiterated China’s opposition to all forms of cyberattacks, highlighting the difficulties in pinpointing attack sources due to the anonymous nature of cyberspace.
U.S. officials continue to warn about China’s aggressive cyber capabilities, with incidents like Volt Typhoon aiming to influence U.S. policy decisions. While the use of ransomware in state-aligned operations isn’t new, the current trend underscores its evolving role as a smokescreen for more nefarious activities.
Researchers have previously linked Chinese groups like APT41 to dual-purpose operations involving espionage and financially motivated cybercrime. Similar activities were documented by Secureworks and Microsoft, highlighting the complexity of these operations. Additionally, Russian military intelligence has utilized ransomware during its conflict with Ukraine, further demonstrating the multifaceted use of such tools.
Ben Carr from Halcyon emphasizes that ransomware serves multiple goals, including intelligence gathering and strategic deception. The evolving landscape of cyberespionage reflects increasingly sophisticated tactics designed to confuse and mislead investigators.
Recent analysis also identified another cluster of cyberespionage using off-the-shelf tools targeting manufacturers and various sectors in the Americas and Europe. While the perpetrators of these attacks remain unclear, there are overlaps with activities linked to Chinese and North Korean actors.
The use of ransomware by state-linked cyber groups is a growing concern. It illustrates the blending of traditional cyberespionage with financially motivated cybercrime, complicating attribution and response efforts. By deploying ransomware, these groups achieve multiple objectives – financial gain, strategic misdirection, and the destruction of incriminating evidence.
