Ransomware Group Uses Toolset Normally Seen in Espionage Operations
Researchers with Symantec security firm have discovered a collaboration between a ransomware group and a group typically associated with espionage operations.
Distinct Toolset Used by Ransomware Group
The toolset, first spotted in July, is a variant of PlugX, a custom backdoor. The timestamps in the toolset are identical to those found in the Thor PlugX variant, which was linked to a Chinese espionage group tracked under the names Fireant, Mustang Panda, and Earth Preta. The variant also has similarities to the PlugX type 2 variant found by Trend Micro.
Recent Espionage Attacks
Further espionage attacks involving the same PlugX variant occurred in August, when the attacker compromised the government of a southeastern European country. In August, the attacker also compromised a government ministry in a Southeast Asian country. In September 2024, the attacker compromised a telecoms operator in that region, and in January, the attacker targeted a government ministry in another Southeast Asian country.
Theories Behind the Collaboration
Symantec researchers have competing theories about the reason for this collaboration. One theory is that the attacker may have been involved in ransomware for some time. In a report on RA World attacks, Palo Alto said that it had found some links to Bronze Starlight (aka Emperor Dragonfly), a China-based actor that deploys different ransomware payloads. One of the tools used in this ransomware attack was a proxy tool called NPS, which was created by a China-based developer. This has previously been used by Bronze Starlight. SentinelOne, meanwhile, reported that Bronze Starlight had been involved in attacks involving the LockFile, AtomSilo, NightSky, and LockBit ransomware families.
Alternative Theories
Another possibility is that the ransomware was used to cover up evidence of the intrusion or act as a decoy to draw attention away from the true nature of the espionage attacks. However, the ransomware deployment was not very effective at covering up the tools used in the intrusion, particularly those linking it back to prior espionage attacks. Additionally, the ransomware target was not a strategically significant organization and was something of an outlier compared to the espionage targets. It seems unusual that the attacker would go to such lengths to cover up the nature of their campaign. Finally, the attacker seemed to be serious about collecting a ransom from the victim and appeared to have spent time corresponding with them. This is not typically the case if the ransomware attack was simply a diversion.
Most Likely Scenario
The most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employer’s toolkit.
Conclusion
This unusual collaboration between a ransomware group and an espionage group highlights the complex and evolving nature of cyber threats. It also underscores the need for continued vigilance and cooperation between security researchers, law enforcement, and the private sector to combat these threats.
FAQs
- Q: What is PlugX?
A: PlugX is a custom backdoor used by an espionage group. - Q: What is the connection between the ransomware and espionage groups?
A: The ransomware group used a toolset typically seen in espionage operations, suggesting a possible collaboration or use by the same actor. - Q: Why did the attacker use ransomware?
A: Theories include making money on the side, covering up evidence of the intrusion, or drawing attention away from the true nature of the espionage attacks. - Q: What is the most likely scenario?
A: The most likely scenario is that an individual was attempting to make money on the side using their employer’s toolkit.
