Security researchers at Secureworks Inc.’s Counter Threat Unit today published a new report on a Chinese hacking group suspected of deploying ransomware as a smokescreen for espionage.
The group, called Bronze Starlight, has been active since early 2021. It compromises networks by exploiting vulnerabilities in network perimeter devices, including known vulnerabilities for which patches are available. Exploiting vulnerabilities, the group typically deploys a HUI Loader to decrypt and execute a Cobalt Strike Beacon for command and control.
Having gained access, Bronze Starlight deploys ransomware and exfiltrates sensitive data from the victim’s environment. Ransomware used by Bronze Starlight in the past includes LockFile, AtomSilo, Rook, Night Sky and Pandora. All five are believed to have been developed by the group as AtomSilo, Rook, Night Sky and Pandora share similar code to LockFile.
The researchers believe that Bronze Starlight is likely state-sponsored given its methodology, since use of the HUI Loader has been observed being used only by threat groups in China. Though it’s unconfirmed, it’s believed there could be collaboration between Bronze Starlight and other state-sponsored threat groups in China.
A Chinese hacking group deploying ransomware and then demanding a ransom payment is not new. However, where Bronze Starlight becomes interesting is that the researchers believe that the ransomware is being deployed as a smokescreen for espionage.
“The ransomware could distract incident responders from identifying the threat actors’ true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group,” the researchers noted.
In each case, the ransomware targets a small number of organizations over a short period before ceasing. Secureworks CTU researchers estimate that 75% of these would be of interest to Chinese government-sponsored groups given the victims’ geographic location and industry verticals.
Know victims of Bronze Starlight include a pharma company in Brazil and the U.S., a U.S.-based media organization, and electronic component designers and manufacturers in Lithuania and Japan.
The report states that network defenders should implement a robust patch management process to address network perimeter vulnerabilities in a timely manner. However, breaches can occur even with preventive measures in place.
“Reactive measures such as a robust and tested incident response plan, real-time network monitoring and alerting, and an extended detection and response solution are crucial for minimizing the impact of ransomware and other malicious activity,” the researchers concluded.