Suspected Chinese gov’t hackers used ransomware as cover in attacks on Brazil presidency, Indian health org

Hackers believed to be working for the Chinese government are increasingly deploying ransomware in an effort to cause disruption and provide cover for espionage operations — most notably in attacks on the presidential office of Brazil and on a key healthcare platform used by Indian hospitals, according to a new report. 

Researchers from SentinelOne, Recorded Future and TeamT5 analyzed dozens of notable intrusions in the past three years, some of which were carried out by Chinese cyberespionage group ChamelGang.

The ChamelGang group repeatedly deployed ransomware and encryptors “for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence” the researchers said. 

According to the report, ChamelGang was previously seen targeting a variety of organizations including a government in East Asia, an aviation organization in South Asia as well as government and private organizations in other countries such as the United States, Taiwan, and Japan.

But what drew the interest of the researchers were the 2022 attacks on the Presidency of Brazil and the All India Institute of Medical Sciences (AIIMS), a major Indian healthcare institution. Both attacks were originally disclosed as ransomware attacks.

The researchers said both attacks involved the CatB ransomware, which they attributed to ChamelGang based on technical overlaps in malware code with other tools used by the group. The attack on Brazil affected 192 computers within the Brazilian Federal Executive Branch.

The researchers also tracked a separate cluster of attacks involving off-the-shelf data encryption tools BestCrypt and BitLocker that affected a variety of industries in North America, South America, and Europe. 

They were not able to attribute these attacks but said “overlaps exist with past intrusions that involve artifacts associated with suspected Chinese and North Korean APT clusters.”

Julian-Ferdinand Vögele, senior threat researcher with Recorded Future’s Insikt Group who co-authored the report, said their research indicates that deception techniques like copy-catting — done in an effort to mislead attribution — are “more common than previously thought.” The Record is an editorially independent unit of Recorded Future.

But the hackers may also be engaging in cybercriminal behavior alongside espionage, he added. Members of APT groups from other governments around the world, most notably Iran, have been seen using ransomware as side gigs to make money off of their hacking ability and to monetize previous breaches.

“Misattributing cyberespionage activities as cybercriminal operations can result in strategic repercussions, especially in the context of attacks on government or critical infrastructure organizations,” the researchers said in the report. 

“Insufficient information sharing between the local law enforcement organizations that typically handle ransomware cases and intelligence agencies could result in missed intelligence opportunities, inadequate risk assessment, and diminished situational awareness.”

The specific use of ransomware also allows APT groups to destroy evidence of their espionage efforts and force organizations to focus on data restoration instead of investigating how hackers gained initial entry, Vögele said. The report goes on to outline how ransomware enables further malicious activities to go unnoticed due to the chaos caused by encryption attacks.

Chinese espionage groups have in the past been accused of using ransomware as part of hacking campaigns. Officials of the island nation of Palau said they believed a recent ransomware attack was a cover for other operations conducted by Chinese actors. 

Other researchers have also seen Chinese government hackers deploy ransomware as part of a dedicated operational playbook in attacks across Southeast Asia. The report notes that the Chinese government in April claimed that the Volt Typhoon campaign against U.S. critical infrastructure was part of a ransomware operation — indicating Chinese officials’ propensity for using ransomware as a catch-all excuse or cover for operations. 

The report mentions several other attacks launched by APT41 on the video game industry where hackers abuse in-game transaction systems and deploy ransomware to muddy the waters.

Recorded Future’s Vögele said there are drawbacks to the use of ransomware by APT groups because they lose access to compromised systems. But the benefits — plausible deniability and misattribution — make ransomware deployment worth it in some instances. 

“This can have strategic ramifications. Inaccurate information exchanges between intelligence agencies and law enforcement (who are usually the ones responding to ransomware events) can lead to lost intelligence opportunities, poor risk assessment, and a lack of situational awareness,” he said.  

“Although it is clear that APT groups can employ deception techniques, such as ransomware, and that financial incentives are present in certain situations, particularly if private contracting companies are involved, the topic still appears to be relatively underreported.”