Chinese-linked cyberespionage campaigns are increasingly deploying ransomware to either make money, distract their adversaries, or make it harder to attribute their activities, according to researchers from SentinelLabs and Recorded Future. This shift marks a change from the traditional practices of state-backed hackers, who previously avoided using ransomware.
A report published on Wednesday identified that ransomware attacks in 2022, including those on the Brazilian presidency and the All India Institute of Medical Sciences (AIIMS), were actually the work of a Chinese-linked cyberespionage group known as ChamelGang or CamoFei.
By employing ransomware, these cyberespionage groups can obscure their true identity and activities, making it appear as if the attacks were carried out by independent cybercriminals instead of state-sponsored actors.
"Misattributing cyberespionage as purely financially motivated cybercrime can have strategic repercussions," the researchers noted. This is particularly concerning when ransomware attacks target government or critical infrastructure organizations.
Ransomware attacks typically lock files and data, with attackers demanding a ransom for decryption. However, sometimes the attackers never decrypt the data, turning the attack into a destructive one. This complicates efforts to restore systems and obscures the true nature of the attack, benefiting cyberespionage groups by erasing traces of their operations.
In November 2022, Delhi police labeled the AIIMS attack an act of “cyber terrorism,” with anonymous officials attributing it to Chinese hackers. Despite these allegations, the Chinese Embassy in Washington, D.C., denied involvement, emphasizing the complexity of tracing cyberattacks and the need for substantial evidence.
The report comes amid growing concerns from U.S. officials about aggressive Chinese cyber activities, such as Volt Typhoon, which are designed to influence U.S. decision-making in the event of a conflict.
While Chinese cyber operations using ransomware is not unprecedented, it reflects a broader trend of state-linked groups, including Russian military intelligence, using disruptive malware to mislead and amplify psychological impacts.
Ransomware acts as a smoke screen, serving various strategic goals and allowing state-aligned operations to replenish their disruptive tools more quickly.
Ben Carr, chief security and trust officer at Halcyon, suggests that this approach allows cyberespionage groups to gather intelligence and simulate more malicious activities, effectively "wargaming" potential future scenarios.