A China-based threat actor has launched ransomware attacks against organizations in the United States and other countries, but evidence suggests that the ransomware is being used by the actor as a “smokescreen” to conceal the real espionage motives behind his campaigns.
The Bronze Starlight actor (also referred to as DEV-0401 by Microsoft), active since early 2021, is known to leverage a previously leaked custom DLL loader called HUI Loader to deploy Cobalt Strike and PlugX payloads for command and control in its attacks. Over the past year, the threat actor has relied on a range of five ransomware families – LockFile, AtomSilo, Rook, Night Sky and Pandora – and posted 21 victims on named leak sites and shameful in mid-April.
However, despite this ransomware activity, researchers believe that the threat actor’s end goal in these campaigns is to steal intellectual property as opposed to financial gain, and they have estimated that 75% of known victims would be of interest to Chinese government-sponsored groups that focus on espionage based on victims’ geographic locations and industry verticals. Over the past year, researchers have observed that the group targets pharmaceutical companies in Brazil and the United States, designers and manufacturers of electronic components in Lithuania and Japan, as well as a US law firm and a US-based media organization with offices in China and Hong Kong.
“Victimology, the short lifespan of each ransomware family, and access to malware used by government-sponsored threat groups suggest Bronze Starlight’s primary motivation may be intellectual property theft or cyber espionage rather than financial gain,” the research team from Secureworks’ Counter Threat unit said. in an analysis Thursday. “Ransomware could prevent responders from identifying the true intent of threat actors and reduce the likelihood of attributing malicious activity to a Chinese government-sponsored threat group.”
Researchers believe the threat group is using ransomware in these incidents to exfiltrate and encrypt data to destroy any forensic evidence of espionage activities. The use of ransomware can also distract investigators from the true nature of the activity, as they would instead focus on returning the business to normal operations. In addition to victimology, the operational cadence of these five ransomware families does not appear to align with conventional financially motivated cybercrime operations, the researchers said.
“In each case, the ransomware targets a small number of victims over a relatively brief period of time before ceasing its operations, seemingly permanently,” they said.