ChamelGang & Friends | Cyber ​​espionage groups attack critical infrastructure with ransomware

Summary

• Threat actors in the cyber espionage ecosystem are following an increasingly disturbing trend: they are using ransomware as the final stage of their operations to gain financial gain, cause disruption, distraction, false attribution, or eliminate evidence.
• This report presents new findings on notable intrusions over the past three years. Some of these attacks were carried out by a Chinese cyber spy, but the perpetrators have not been publicly disclosed.
• According to our findings, ChamelGang, a suspected Chinese APT group, used the CatB ransomware to target the major Indian healthcare institution AIIMS and the Brazilian presidential office in 2022. Details about the origin of these attacks have not yet been made public.
• In addition, the ChamelGang targeted a government organization in East Asia and critical infrastructure sectors, including an aviation organization on the Indian subcontinent.
• In addition, a separate group of intrusion attempts using the commercially available tools BestCrypt and BitLocker affected various industries in North America, South America and Europe, but primarily the US manufacturing sector.
• While the attribution of this secondary cluster remains unclear, there is overlap with previous intrusion attempts involving artifacts suspected to be associated with Chinese and North Korean APT clusters.

Read the full report

overview

In collaboration with Recorded Future, SentinelLabs tracked two distinct clusters of activity between 2021 and 2023 targeting government and critical infrastructure sectors around the world. We associate one cluster of activity with the suspected Chinese APT group ChamelGang (also known as CamoFei), while the second cluster is similar to previous intrusions that used artifacts associated with suspected Chinese and North Korean APT groups. The majority of the activity we analyzed involves ransomware or data encryption tools.

ChameleonGang

We found evidence that ChamelGang targeted a government organization in East Asia and an aviation organization in the Indian subcontinent in 2023. This is consistent with ChamelGang’s known victim logic – previous ChamelGang attacks had affected critical sectors in Russia, including aviation, as well as government and private organizations in other countries such as the United States, Taiwan, and Japan. The activities we observed include the use of the group’s known TTPs, publicly available tools seen in previous attacks, and its custom malware BeaconLoader.

In addition, we suspect that ChamelGang was responsible for attacks on the Brazilian presidential office and the All India Institute of Medical Sciences (AIIMS), a major Indian healthcare institution, in late 2022. These attacks were publicly disclosed as ransomware incidents, and details of the perpetrators were never released. We discovered strong evidence that these institutions were attacked using ChamelGang’s CatB ransomware. TeamT5 links CatB to ChamelGang due to overlaps in code, staging mechanisms, and malware artifacts such as certificates, strings, and symbols found in custom malware used in intrusions attributed to ChamelGang.

BestCrypt and BitLocker

In addition to ChamelGang’s activities, we have observed breaches where Jetico BestCrypt and Microsoft BitLocker were abused to encrypt endpoints and extort ransoms. BestCrypt and BitLocker are legitimately used for data protection purposes.

Our telemetry data showed that these breaches occurred between early 2021 and mid-2023 and affected 37 organizations. The majority of affected organizations are located in North America, predominantly in the United States, with others in South America and Europe. The manufacturing sector was most affected, while other sectors, including education, finance, healthcare, and legal, were affected to a lesser extent.

Our full report provides extensive details, including victimology, attribution discussions, an overview of the malware and techniques used, and a comprehensive list of indicators of compromise.

Ransomware as a strategic and operational tool of cyber espionage

This research highlights the strategic use of ransomware by cyber espionage actors for financial gain, to disrupt operations, or as a tactic for diversion or misattribution, blurring the lines between cybercrime and cyber espionage.

Misclassifying cyberespionage activities as cybercriminal activities can have strategic consequences, particularly in the context of attacks on government or critical infrastructure organizations. Inadequate information sharing between local law enforcement agencies that typically handle ransomware cases and intelligence agencies can lead to missed intelligence opportunities, inadequate risk assessment, and reduced situational awareness.

We stress the importance of continuous data and knowledge sharing between the various entities dealing with cybercrime and cyberespionage incidents, detailed investigation of observed artifacts, and analysis of the broader context of ransomware incidents, which are critical to identifying the true perpetrators, motives, and targets.

SentinelLabs continues to monitor cyberespionage groups that challenge traditional categorization practices. We remain committed to sharing our findings to equip organizations and other relevant stakeholders with the knowledge necessary to better understand and defend against this threat. We thank Still Hsu of TeamT5 for his valuable insights that contributed to our investigation of the ChamelGang APT group.

Read the full report