A joint report from analysts at SentinelLabs and Recorded Future has studied two distinct activity clusters targeting government sectors and critical infrastructure globally between 2021 and 2023. The report reveals a worrying trend: actors in the cyberespionage ecosystem are using ransomware as the final stage of their operations. These actions are motivated by financial gain, disruption, distraction, misattribution or evidence suppression.
The report presents new findings on notable intrusions over the past three years, some of which were carried out by a Chinese cyberespionage player, ChamelGang, but have yet to be publicly attributed.
ChamelGang and friends: attacking critical infrastructures with ransomware
SentinelLabs and Recorded Future have tracked two activity clusters targeting government sectors and critical infrastructures worldwide between 2021 and 2023. One cluster is associated with ChamelGang, a suspected Chinese APT group, while the second resembles past intrusions involving Chinese and North Korean APT groups. The activities analyzed involve ransomware or data encryption tools, highlighting the strategic use of ransomware for financial, disruptive or misattribution purposes. This approach enables adversaries to claim plausible deniability, attributing actions to independent cybercriminal actors rather than state-sponsored entities. The data-destructive nature of ransomware also blurs the perpetrators’ trail, making data and system restoration a priority for defense teams.
Cluster 1: ChamelGang intrusions
Multiple intrusions occurring in 2022 and 2023 have been attributed to ChamelGang with a medium degree of confidence. This APT group pursues objectives other than intelligence gathering, such as the theft of personal information and financial gain. In 2023, ChamelGang targeted a government organization in East Asia and an aviation organization in the Indian subcontinent. These activities made use of the group’s known TTPs, publicly available tools and customized malware such as BeaconLoader.
Notable incidents included attacks on the Brazilian presidency and AIIMS in late 2022 using CatB ransomware. The CatB ransomware sample svchosts.exe was first uploaded from Brazil on November 1, 2022, containing a ransom note with the contact email fishA001[@]protonmail.com and a Bitcoin address. Artifacts extracted from the Windows registry indicated the Brazilian presidency, reinforcing suspicions of ChamelGang involvement.
In November 2022, AIIMS suffered a large-scale ransomware attack that affected numerous servers and workstations. The attack, first observed on November 23, 2022, led to major disruptions in the provision of healthcare services. Indicators such as contact email addresses and encrypted file extensions linked the incident to ChamelGang’s CatB ransomware.
Cluster 2: BestCrypt and BitLocker intrusions
Another cluster of intrusions involved the misuse of Jetico BestCrypt and Microsoft BitLocker to encrypt terminals and demand ransom. These intrusions, which occurred between early 2021 and mid-2023, affected 37 organizations, mainly in the US manufacturing sector. Similarities with earlier incidents involving APT41 and Andariel, a suspected North Korean APT cluster, were noted.
These attacks typically begin with the deployment of the China Chopper webshell, followed by credential theft, reconnaissance and malware deployment. Attackers often use Active Directory domain controllers as staging points for subsequent operations. Jetico BestCrypt was used to encrypt server endpoints, while Microsoft BitLocker was used for workstations.
The use of ransomware by cyberespionage groups blurs the boundaries between cybercrime and cyberespionage, offering adversaries strategic and operational advantages. The activities of groups such as ChamelGang and APT41 show that ransomware intrusions can have objectives other than financial gain. Collaboration between law enforcement and intelligence services is essential to accurately identify the perpetrators of these attacks and understand their true motivations.
Photo credits: Nathakorn – AdobeStock