Cyber-espionage groups are increasingly using ransomware attacks to make their attempts at sabotage and data theft look like ‘ordinary’ crimes. This gives countries behind such attacks plausible deniability against accusations of espionage, says cybersecurity firm SentinelOne in a recent study.
The report blames ChamelGang, a China-driven APT (Active Persistent Threat) group, for targeting a major Indian health organization and an airline in the same region in recent years. This group also attacked the Brazilian president’s administrative household with CatB ransomware.
SentinelOne’s report is the first official publication to explicitly point to this Chinese threat group as a possible perpetrator of these attacks. In doing so, the company states that money must not have been the main motive in these cases and that they are not criminal activities per se, but rather espionage outfits controlled by state actors.
Financial gain is not the main goal
Victims of ransomware-as-spying often have no idea that financial gain is not the main goal but that stealing sensitive information and disrupting infrastructure are the actual objectives. Sometimes, such an attack is itself a diversion for other subversive activities. Ransomware lends itself perfectly to this because the disruptive effect is so broad that it is difficult to identify the true motive behind an attack.
According to SentinelOne, this approach allows countries behind such attacks —presumably China and North Korea in the cases studied— to deny that they are spying. Instead, they place responsibility on criminal groups they supposedly have no authority over. The security company mentions the actor Volt Typhoon as an example: a ransomware club according to China, a Chinese spy outfit according to SentinelOne.
Wrong strategic choices
The security company argues that when cyber espionage is mistakenly viewed as an ‘ordinary’ crime, it can lead to wrong strategic choices. Therefore, it is important that police and intelligence agencies dealing with ransomware share their information with each other in order to draw the right conclusions in terms of investigation operations and policy advice.
The report also mentions a separate set of intrusions involving malicious actors who abused the BestCrypt and BitLocker security tools. In recent years, their attacks have hit industries in Europe and the Americas. While it remains difficult to definitively say who is responsible for these attacks, the methods and tools overlap with previous intrusions linked to suspected Chinese and North Korean APT clusters.
Read also: Amount paid in ransomware attacks five times bigger than last year