Threat researchers believe two Chinese hacking groups are using ransomware attacks to cover up cyber espionage campaigns against western and Japanese companies. Chinese state-sponsored groups are in search of sensitive information and use financially motivated attacks to mask their true goals. Two clusters of activity were analyzed by SecureWorks including “Bronze Riverside” (APT41) and “Bronze Starlight” (APT10), both using the HUI Loader to deploy remote access trojans, PlugX, Cobalt Strike, and QuasarRAT. SecureWorks researchers found that starting in March of 2022 Bronze Starlight leveraged Cobalt Strike to deploy ransomware strains such as LockFile, AtomSilo, Rook, Night Sky, and Pandora. These strains of ransomware did not have the lasting impact as other financially motivated strains of ransomware and were also abandoned prematurely. The common belief is that Bronze Starlight used these attacks as decoys, so law enforcement and threat researchers would view them as ransomware attacks, not government sponsored espionage campaigns.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased