New evidence uncovered by security researchers indicates that a Chinese cyberespionage group known as ChamelGang has been deploying ransomware in some of its intrusions during the past few years, including attacks on an Indian healthcare facility and the office of the president of Brazil.
ChamelGang has been active for several years and has targeted organizations in the aviation, healthcare, and critical infrastructure sectors in several countries, including Russia, India, the United States, and Brazil. The group typically has conducted cyber espionage operations, but it also is known to use the CatB ransomware, and researchers from SentinelIOne have found links connecting ChamelGang to an intrusion at the All India Institute of Medical Sciences in 2022 and another at the Presidency of Brazil that involved the use of CatB.
Though cyber espionage groups are, by definition, mostly interested in stealing information, it is not unprecedented for them to conduct financially motivated operations, as well. This is quite common among North Korean APT groups, some of which are deeply involved in cryptocurrency theft and other financially motivated intrusions. But SentinelOne’s research, which was conducted in cooperation with Recorded Future, shows evidence that ChamelGang has joined the ranks of APT groups deploying ransomware.
“This research highlights the strategic use of ransomware by cyberespionage actors for financial gain, disruption, or as a tactic for distraction or misattribution. The use of ransomware as part of cyber espionage activities may result in their misattribution as financially-motivated operations. To further misguide attribution efforts, APT groups may purchase ransomware shared by multiple cybercriminal actors. Ransomware also provides cover for the true motive behind the central component of cyberespionage operations, data exfiltration, which is also carried out by ransomware actors that follow a multi-extortion model,” the research report says.
“The use of ransomware by cyberespionage threat groups blurs the lines between cybercrime and cyberespionage."
“Further, we suspect that in late 2022, ChamelGang was responsible for attacks on the Presidency of Brazil and the All India Institute of Medical Sciences (AIIMS), a major Indian healthcare institution. These attacks were publicly disclosed as ransomware incidents and attribution information regarding the perpetrators has never been released. We discovered strong indicators pointing to these institutions as being targeted using ChamelGang’s CatB ransomware.”
The CatB ransomware has been publicly linked to ChamelGang in the past, as has the BeaconLoader tool used to deploy Cobalt Strike. The SentinelOne researchers uncovered technical artifacts that linked the AIIMS and Presidency of Brazil intrusions to ChamelGang, including the presence of a file named svchosts.exe, which is part of CatB ransomware deployments, and some other tell-tale files. In other intrusions last year, SentinelOne researchers observed ChamelGang using common off-the-shelf tools for privilege escalation and other tasks.
“We did not observe ransomware deployment in these particular intrusions; however, despite ChamelGang not necessarily using ransomware in every operation, we do not exclude the possibility that it may have occurred outside of our visibility,” the report says.
“ChamelGang uses a variety of publicly available tooling and custom malware beyond those we observed, such as Neo-reGeorg, and the DoorMe and MGDrive malware. DoorMe and MGDrive have also been associated with other suspected Chinese APT clusters.”
The SentinelOne researchers emphasized that ChamelGang’s use of ransomware is one more link in the chain of APT groups moving to expand the scope of their intrusions.
“The use of ransomware by cyberespionage threat groups blurs the lines between cybercrime and cyberespionage, providing adversaries with advantages from both strategic and operational perspectives. The operational methods of APT clusters, such as ChamelGang, the APT41 umbrella, and the recently discovered Moonstone Sleet, highlight that ransomware intrusions are not exclusively conducted by financially-motivated threat actors,” the report says.