Ransomware attacks are likely being used as a cover for IP theft by a Chinese APT group.
Since early 2021, an advanced persistent threat (APT) actor headquartered in China has been conducting double-extortion and ransomware attacks as a cover for systematic, state-sponsored cyberespionage and intellectual property theft. The threat actor has always loaded Cobalt Strike Beacon and then released ransomware on compromised computers using a malware loader known as the HUI Loader, which has only ever been employed by organizations with Chinese backing. This is a method that researchers investigating the “Bronze Starlight” group has not been used by other threat actors.
A law firm, a media organization with offices in Hong Kong and China, and a pharmaceutical company are among the victims of the gang with US locations. Others include a Brazilian pharmaceutical company, an Indian conglomerate’s aerospace, and defense section, electronic component designers, and producers in Japan and Lithuania. Companies that are frequently of interest to Chinese cyber spy organizations make up about three-quarters of Bronze Starlight’s victims so far.
Changing between families of ransomware
LockFile, AtomSilo, Rook, Night Sky, and Pandora are at least five different ransomware tools that Bronze Starlight has employed in its attacks since it started operating in 2021. The threat actor followed the standard ransomware methodology with LockFile, encrypting data on a target network and requesting payment in exchange for the decryption key. With each of the other ransomware families, however, it changed to a double-extortion paradigm. By encrypting their private information and threatening to make it public, Bronze Starlight used these attacks to blackmail victims. On leak sites connected to AtomSilo, Rook, Night Sky, and Pandora.
Bronze Starlight’s real goal may be cyberespionage and intellectual property theft in favor of Chinese economic goals, despite the organization’s outward appearance of being financially driven. Last year, the US government publicly charged China with employing threat organizations like Bronze Starlight in state-sponsored cyber espionage efforts.
Due to the costs involved in creating and deploying new ransomware tools, threat groups don’t frequently target a small number of victims over a short period with each ransomware family-like Bronze Starlight has. In the case of Bronze Starlight, the threat actor seems to have used the strategy to avoid attracting too much notice from security researchers. Bronze Starlight regularly targeted a small number of victims over brief periods with each ransomware family, something threat groups don’t frequently accomplish due to the costs involved in creating and deploying new ransomware tools. The threat actor behind Bronze Starlight appears to have used this strategy to avoid garnering too much notice from security researchers.
Burnard claims that another indication that Bronze Starlight is more complicated than its ransomware activity is the threat actor’s usage of the HUI Loader and a somewhat uncommon variant of PlugX, a remote access Trojan associated only with China-backed threat groups. It is not frequently used, but when it is, the use has been linked to other suspected Chinese threat groups, such as one that targets Japanese companies for IP theft and goes by the name of Bronze Riverside. One crucial aspect of the Bronze Starlight activity that ties the larger campaign and five ransomware families together is the usage of the HUI Loader to load Cobalt Strike Beacons.
Once more, this raises an intriguing question regarding connections between Bronze Starlight and state-sponsored threat groups in China. There is evidence that Bronze Starlight is increasing the HUI Loader’s capabilities by learning from its incursion activity. For instance, the loader utilized by the organization during its initial breaches was only intended to load, decode, and execute a payload. In the revised version, Burnard says, “detection evasion tactics are included, such as disabling Windows Event Tracing for Windows [ETW], Antimalware Scan Interface [AMSI], and Windows API hooking.” This proves that the HUI Loader is actively being improved upon.
Bronze Starlight predominantly attacks Internet-facing servers of victim companies by making use of known security flaws. Therefore, according to Burnard, network defenders should make sure that servers that are accessible via the Internet are patched on time as part of a multilayered strategy for network security. While the emphasis is frequently on zero-day exploitation.