Threat researchers believe two Chinese hacking groups are using ransomware attacks to cover up cyber espionage campaigns against western and Japanese companies. Chinese state-sponsored groups are in search of sensitive information and use financially motivated attacks to mask their true goals. Two clusters of activity were analyzed by SecureWorks including “Bronze Riverside” (APT41) and “Bronze Starlight” (APT10), both using the HUI Loader to deploy remote access trojans, PlugX, Cobalt Strike, and QuasarRAT. SecureWorks researchers found that starting in March of 2022 Bronze Starlight leveraged Cobalt Strike to deploy ransomware strains such as LockFile, AtomSilo, Rook, Night Sky, and Pandora. These strains of ransomware did not have the lasting impact as other financially motivated strains of ransomware and were also abandoned prematurely. The common belief is that Bronze Starlight used these attacks as decoys, so law enforcement and threat researchers would view them as ransomware attacks, not government sponsored espionage campaigns.
Ransomware attacks have been used as a distraction before. Russia used several attacks leading up to the invasion of Ukraine. The Chinese government wants to be the most dominant economic power in the world and will also use any tactics necessary to achieve that goal. Whether a ransomware operation is attempting to steal sensitive and proprietary information, or are financially motivated, organizations should take extensive measures to protect from such attacks. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location. Also, implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threats and respond quickly.