Chinese APT Group Likely Using Ransomware Attacks as Cover for IP Theft

A China-based Advanced Persistent Threat (APT) actor, active since early 2021, appears to be using ransomware and double-edging attacks as camouflage for systematic, government-sponsored cyber espionage and intellectual property theft.

In all the attacks, the threat actor has used a malware loader called HUI Loader – exclusively associated with China-backed groups – to load Cobalt Strike Beacon and then implement ransomware on compromised hosts. Researchers at Secureworks, which tracks the group as “Bronze Starlight”, say it is a tactic they have not observed that other threatening actors use.

Secureworks also says it has identified organizations in several countries that the adversary appears to have compromised. The group’s US-based victims include a pharmaceutical company, a law firm and a media company with offices in Hong Kong and China. Others include designers and manufacturers of electronic components in Japan and Lithuania, a pharmaceutical company in Brazil, and the space and defense division of an Indian conglomerate. About three-quarters of Bronze Starlight’s victims so far are organizations that have typically been of interest to government-sponsored Chinese cyber espionage groups.

Cycling through Ransomware families

Since launching in 2021, Bronze Starlight has used at least five different ransomware tools in its attacks: LockFile, AtomSilo, Rook, Night Sky and Pandora. Secureworks’ analysis shows that the threat actor used a traditional ransomware model with LockFile, where it encrypted data on a victim network and demanded a ransom for the decryption key. But it switched to a double-extortion model with each of the other ransomware families. In these attacks, Bronze Starlight sought to blackmail victims by both encrypting their sensitive data and threatening to leak it publicly. Secureworks identified data belonging to at least 21 companies released at leak sites associated with AtomSilo, Rook, Night Sky and Pandora.

While Bronze Starlight on the surface appears to be financially motivated, its real mission appears to be cyber espionage and intellectual property theft in support of Chinese economic goals, says Marc Burnard, senior information security research consultant at Secureworks. Last year, the US government formally accused China of using threatening groups like Bronze Starlight in state-sponsored cyber espionage campaigns.

“The victimology, the tool, and the fast-paced cycling through ransomware families suggest that Bronze Starlight’s intent may not be financial gain,” he says. Instead, it is possible that the threatening actor uses ransomware and double extortion as a cover to steal data from organizations of interest to China and destroy evidence of its activity.

Bronze Starlight has consistently targeted only a small number of victims over short periods of time with each ransomware family – something that threat groups do not often do due to the overhead associated with developing and implementing new ransomware tools. In the case of Bronze Starlight, the threatening actor appears to have used the tactic to prevent attracting too much attention from security researchers, Secureworks said.

The Chinese connection

Burnard says the threat actor’s use of HUI Loader along with a relatively rare version of PlugX, a remote-access Trojan linked exclusively to China-backed threat groups, is another sign that there is more to Bronze Starlight than its ransomware activity could indicate.

“We believe the HUI Loader is a tool unique to Chinese state – sponsored threat groups,” says Burnard. It is not widely used, but where it has been used, the activity has been attributed to other likely Chinese threat group activity, such as one by a group called Bronze Riverside, which is focused on stealing IP from Japanese companies.

“In terms of using the HUI Loader to load Cobalt Strike Beacons, this is a key feature of the Bronze Starlight activity that connects the broader campaign and five ransomware families together,” says Burnard.

Another sign that Bronze Starlight is more than just a ransomware operation involves a breach that Secureworks investigated earlier this year when Bronze Starlight broke into a server at an organization that had previously been compromised by another China -sponsored threat operation called Bronze University. In this incident, however, Bronze Starlight implemented HUI Loader with Cobalt Strike Beacon on the compromised server, but it did not implement any ransomware.

“Again, this raises an interesting question about connections between Bronze Starlight and state-sponsored threat groups in China,” Burnard said.

There is also evidence that the Bronze Starlight is learning from its intrusion activity and improving the capabilities of the HUI Loader, he adds. The version of the loader that the group used in its initial intrusions, for example, was only designed to load, decrypt, and perform a payload. However, an updated version of the tool that Secureworks encountered while responding to an incident in January 2022 revealed several improvements.

The updated version comes with evasion detection techniques, such as disabling Windows Event Tracing for Windows [ETW] and Antimalware Scan Interface [AMSI] and Windows API hooking, ”notes Burnard. “This indicates that HUI Loader is actively being developed and upgraded.”

Secureworks’ study shows that Bronze Starlight primarily compromises Internet-facing servers on victim organizations by exploiting known vulnerabilities. So as part of a multi-layered approach to network security, network defenders should ensure that Internet-facing servers are patched in a timely manner, Burnard says.

“While the focus is often on zero-day exploitation, we often see threat groups like Bronze Starlight exploit vulnerabilities that already have a patch available,” he says.


Leave a Reply

Your email address will not be published.