Security News > 2022 > June > Chinese hackers use ransomware as decoy for cyber espionage

Chinese hackers use ransomware as decoy for cyber espionage
2022-06-23 13:00

Two Chinese hacking groups conducting cyber espionage and stealing intellectual property from Japanese and western companies are deploying ransomware as a decoy to cover up their malicious activities.

Threat analysts from Secureworks say that the use of ransomware in espionage operations is done to obscure their tracks, make attribution harder, and create a powerful distraction for defenders.

The two clusters of hacking activity analyzed by Secureworks are "Bronze Riverside" and "Bronze Starlight", both using the HUI Loader to deploy remote access trojans, PlugX, Cobalt Strike, and QuasarRAT. Starting in March 2022, "Bronze Starlight" leveraged Cobalt Strike to deploy ransomware strains such as LockFile, AtomSilo, Rook, Night Sky, and Pandora.

That said, "Bronze Starlight" might be creating short-lived ransomware strains only to mask its cyber-espionage operations as ransomware attacks, reducing the chances of dealing with the ramifications of accurate attribution.

Since all of the discussed ransomware strains are based on publicly available or leaked code, and Chinese threat groups are known for sharing backdoors and infrastructure, nothing can be said with certainty.

While it is unclear if these ransomware families were developed as decoys to hide other malicious activity, it would not be the first time ransomware was used this way.

News URL