Beijing maneuvering behind a group of ransomware, this is the hypothesis revealed in a June 23 report from the American cybersecurity company Secureworks. The objective for China would be to hide its espionage activities behind banal cybercriminal actions.
Secureworks and Microsoft on the move
In a study from March 2022, “Panorama of the computer threat 2021″, the French cyber defense agency, ANSSI, reported observing for a few years, ” a convergence of methods and tools used by several profiles of malicious actors “. Clearly, state entities have taken over cybercriminal modus operandi to conceal their activities in cyberspace.
Android users infected with Hermit spyware
According to Secureworks, “Bronze Starlight”, also called DEV-0401 by Microsoft, could be one of these state-sponsored groups, here China. Secureworks believes that “ The victimology, short lifespan of each ransomware family, and access to malware used by government-sponsored threat groups suggest that BRONZE STARLIGHT’s primary motivation may be intellectual property theft or cyber espionage rather than financial gain “.
It was the American giant who first spotted this group, which appeared in mid-2021 and was particularly discreet. A discretion obtained thanks to the very regular changes of ransomware for its attacks, LockFile (August 2021), AtomSilo (October), Rook (November), Night Sky (December) and Pandora (February 2022), LockBit 2.0 (April).
” Because DEV-0401 frequently maintains and renames their own ransomware payloads, they may appear as different groups in payload-based reports and evade detections and actions against them “, noted Microsoft in May.
This attitude is rather unprecedented in an environment where software is used as long as it remains effective. It allows you to stay under the radar of cybersecurity researchers. Microsoft and Secureworks have also noticed another originality: Bronze Starlight does not use initial access brokers, sellers of flaws in a computer system, but uses uncorrected vulnerabilities. For Microsoft the group differs from most attackers “.
China adept at ransomware?
From there to attributing the potential responsibility of China? There is a step that Secureworks takes, based on several elements. Initially, the use of software popular with groups from the Middle Kingdom, with some detectable traces of Chinese.
Then the adoption of the practice of “name-and-shame”. In addition, or rather to demand a ransom against an access key, the attackers steal data and threaten to publish them on a public site. For Secureworks, “ It’s possible that this change provided a more plausible way to exfiltrate data. Threat actors may also have decided that the public profile would be more effective in distracting attention from their true operational objectives. “.
The last interesting clue for Secureworks is the famous ” victimology by Bronze Starlight. Of the 21 victims counted by Secureworks, 75% correspond to Chinese interests, most of the time in Asia or the United States: pharmaceutical companies in Brazil and the United States, an American media, designers and manufacturers of electronic components in Japan and Lithuania, an American law firm, the aerospace and defense division of an Indian conglomerate… The other targets look like incidents, American real estate companies or a European interior decoration company.
In cybersecurity, attribution of a cyberattack is always a complex exercise. Secureworks, while designating Beijing, is armed with caution by stating that it is only formulating a hypothesis based on the clues collected. The use of a cybercriminal tool by a State is far from improbable as it has the advantage of discretion, of recovering data by covering the tracks.