SentinelOne’s research arm, SentinelLabs, has revealed startling new details on the strategic use of ransomware by cyberespionage actors for financial gain, disruption, distraction, or misattribution. Researchers primarily focused on attacks from a Chinese cyberespionage actor ChamelGang, that remain publicly unattributed.
The report highlights ChamelGang’s targeting of critical infrastructure sectors in India and East Asia. ChamelGang is a persistent global cyberespionage group, targeting regions driven by strategic interests, regional rivalries, geopolitical tensions, and technological competitiveness.
In 2023, ChamelGang targeted a government organization in East Asia and an aviation organization in the Indian subcontinent, using known TTPs, publicly available tooling, and custom malware BeaconLoader.
In late 2022, ChamelGang was suspected of targeting the Brazilian Presidency and the All India Institute of Medical Sciences (AIIMS) using CatB ransomware. These attacks were publicly disclosed as ransomware incidents without attribution information.
Researchers link CatB ransomware and BeaconLoader to ChamelGang due to code overlaps and malware artefacts. Further probing revealed that ChamelGang often disguises BeaconLoader as Windows services or software components, such as TSVIPSrv.dll and TPWinPrn.dll, and may deploy Cobalt Strike through it to execute reconnaissance commands, additional tools, and exfiltrate files like the NTDS.dit Active Directory database, storing critical information.
“The government and critical infrastructure sectors, including healthcare, aviation, and manufacturing, are important targets for adversaries such as ChamelGang pursuing cyberespionage objectives, financial gain, or both,” SentinelOne’s report, shared with Hackread.com ahead of its publishing, read.
Researchers also discovered intrusions using Jetico BestCrypt and Microsoft BitLocker to encrypt endpoints and demand ransom, affecting 37 organizations in North America between early 2021 and mid-2023. The manufacturing sector was the most affected.
The intrusions resemble those reported by LIFARS in 2020 and DCSO in 2022, targeting nonprofit and financial organizations. The TTPs and victimology link the 2020 activities to the APT41 umbrella, a suspected Chinese APT group known for financial-motivated cyberespionage campaigns.
Intrusions using BestCrypt and BitLocker and ransom notes similar to those in the LIFARS case, have been attributed to ransomware groups called TimisoaraHackerTeam and DeepBlueMagic. These groups have been linked to attacks against healthcare institutions, including the Hillel Yaffe Medical Center in Israel, with Israeli authorities indicating suspicion of a Chinese ransomware group behind the attack.
Researchers emphasize the significance of “sustained information exchange and collaboration between law enforcement and intelligence agencies” in handling ransomware intrusions at government or critical infrastructure organizations to counter these evolving threats.