Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyberwarfare / Nation-State Attack. Show all posts

Chinese-Linked Cyberespionage Groups Now Using Ransomware to Hide Activities

 

Chinese-linked cyberespionage campaigns are increasingly deploying ransomware to either make money, distract their adversaries, or make it harder to attribute their activities, according to researchers from SentinelLabs and Recorded Future. This shift marks a change from the traditional practices of state-backed hackers, who previously avoided using ransomware. 

A report published on Wednesday identified that ransomware attacks in 2022, including those on the Brazilian presidency and the All India Institute of Medical Sciences (AIIMS), were actually the work of a Chinese-linked cyberespionage group known as ChamelGang or CamoFei. 

By employing ransomware, these cyberespionage groups can obscure their true identity and activities, making it appear as if the attacks were carried out by independent cybercriminals instead of state-sponsored actors. 

"Misattributing cyberespionage as purely financially motivated cybercrime can have strategic repercussions," the researchers noted. This is particularly concerning when ransomware attacks target government or critical infrastructure organizations. 

Ransomware attacks typically lock files and data, with attackers demanding a ransom for decryption. However, sometimes the attackers never decrypt the data, turning the attack into a destructive one. This complicates efforts to restore systems and obscures the true nature of the attack, benefiting cyberespionage groups by erasing traces of their operations. 

In November 2022, Delhi police labeled the AIIMS attack an act of “cyber terrorism,” with anonymous officials attributing it to Chinese hackers. Despite these allegations, the Chinese Embassy in Washington, D.C., denied involvement, emphasizing the complexity of tracing cyberattacks and the need for substantial evidence. 

The report comes amid growing concerns from U.S. officials about aggressive Chinese cyber activities, such as Volt Typhoon, which are designed to influence U.S. decision-making in the event of a conflict. While Chinese cyber operations using ransomware is not unprecedented, it reflects a broader trend of state-linked groups, including Russian military intelligence, using disruptive malware to mislead and amplify psychological impacts. 

Ransomware acts as a smoke screen, serving various strategic goals and allowing state-aligned operations to replenish their disruptive tools more quickly. Ben Carr, chief security and trust officer at Halcyon, suggests that this approach allows cyberespionage groups to gather intelligence and simulate more malicious activities, effectively "wargaming" potential future scenarios.

DDoS Attacks: Becoming More Powerful & Shorter in Duration

 

Microsoft says that it witnessed distributed denial-of-service attacks turn shorter in duration in 2022 while also becoming more effective and capable of greater impact. As per Microsoft's DDoS trends report for 2022, the United States, India, and East Asia topped the targeted regions for DDoS attacks, among others, and internet of things devices remained the preferred choice for launching these attacks. DDoS attacks in 2022 lasted less than an hour on average, and attacks lasting 1 or 2 minutes accounted for one-fourth of total attacks last year.

According to the tech giant, the attacks were shorter because bad actors required fewer resources to carry them out, and security teams are finding it difficult to defend against them using legacy DDoS controls. "Attackers frequently use multiple short attacks over the course of several hours to make the most impact while using the fewest resources," Microsoft says.

The daily average was 1,435 DDoS attacks, with the highest number being 2,215 on September 22. During the holiday season, the volume of DDoS attacks increased significantly until the last week of December.

In Azure Aloud, Microsoft documented a 3.25 terabyte-per-second attack as the "largest attack" in 2022. This is less than the previous largest known DDoS attack, which had an intensity of  3.47 TB per second at its peak.

TCP reflected amplification attacks are becoming more common and powerful, according to Microsoft, and more diverse types of reflectors and attack vectors are typically exploiting "improper TCK stack implementation in middleboxes, such as firewalls and deep packet inspection devices." Attackers impersonate the target's IP address to send a request to a reflector, such as an open server or middlebox, which response to the target, such as a virtual machine.

TCP reflected amplification attacks can now reach "infinite amplification" in some cases. A reflected amplified SYN+ACK attack on an Azure resource in Asia in April 2022 reached 30 million packets per second and lasted 15 seconds.

The attack throughput was not particularly high, but there were 900 reflectors involved, each with retransmissions, resulting in a high pps rate that can bring down the host and other network infrastructure," according to the report.

Preferred Mode of Attack for IoT Devices

According to Microsoft, adversaries preferred IoT devices to launch DDoS attacks, a trend that has been growing in recent years. During the Russia-Ukraine war in 2022, the use of IoT devices increased.

Botnets used by nation-state actors and criminal enterprises, such as Mirai, have been adapted to infect a wide range of IoT devices and support new attack vectors. "While Mirai is still a major player in the field of botnets, the threat landscape in the field of IoT malware is evolving, with new botnets emerging such as Zerobot and MCCrash," Microsoft said.

TCP attacks were the most common type of DDoS attack in 2022, accounting for 63% of all DDoS attacks recorded, followed by UDP attacks at 22%.
 
Politically motivated DDoS attacks have risen to prominence, particularly in the year since Russia's invasion of Ukraine. KillNet, a Russian hacktivist group loyal to Moscow, actively recruited volunteers to launch DDoS attacks against Western nations.

KillNet has launched 86 attacks against pro-Ukraine countries since the war began in February, according to the CyberPeace Institute, which tracks publicly disclosed attacks related to the Russia-Ukraine war.