ChamelGang Strikes Again: How APTs Are Using Ransomware to Mask Cyberespionage

Hot Take:

So, it turns out that ransomware is the Swiss Army knife of cyberespionage. Need to steal data, sow confusion, or just make life hard for your enemies? There’s a ransomware strain for that. Also, who knew that cybercriminals and spies could have so much in common—like a love for Bitcoin and ProtonMail?

Key Points:

• ChamelGang (aka CamoFei) has been using CatB ransomware in high-profile attacks globally.
• Targets include government organizations and critical infrastructure from 2021 to 2023.
• Incidents include breaching the Presidency of Brazil and the All India Institute Of Medical Sciences.
• A separate cluster uses BestCrypt and BitLocker, impacting 37 organizations mainly in North America.
• Ransomware in cyberespionage blurs the lines between APT and cybercriminal activities, complicating attribution.

ChamelGang’s Greatest Hits

Meet ChamelGang, the cyber equivalent of a chameleon, blending into the cybercrime landscape with ease. Known by the alias CamoFei, these cyber-spies have made headlines between 2021 and 2023 for their sophisticated attacks on government bodies and critical infrastructure. In November 2022, they went on a hacking spree in Brazil, targeting none other than the Presidency itself, compromising 192 computers. Imagine the chaos when ransom notes started popping up everywhere like unsolicited pop-up ads, demanding Bitcoin payments through ProtonMail. Move over, Nigerian princes; there’s a new scam in town!

Medical Mayhem

ChamelGang didn’t stop at government targets. In late 2022, they decided to play doctor by attacking the All India Institute Of Medical Sciences (AIIMS). Using their trusty CatB ransomware, they caused major disruptions in healthcare services. If you think waiting at the doctor’s office is annoying, try dealing with ransomware while trying to access patient records. According to the researchers, the same M.O. was spotted in other attacks on a government entity in East Asia and an aviation organization in the Indian subcontinent. Clearly, ChamelGang is all about variety.

BestCrypt and BitLocker: The Dynamic Duo

Let’s not forget the other villains in our story. A separate cluster of activities (because why have one when you can have two?) has been using Jetico BestCrypt and Microsoft BitLocker for their nefarious deeds. These cyber baddies have impacted 37 organizations, mainly in North America, but they’ve also extended their reach to South America and Europe. Interestingly, the researchers found overlaps with past intrusions linked to suspected Chinese and North Korean APTs. And just like a good thriller, they left small breadcrumbs like the China Chopper webshell and a custom variant of the miPing tool.

Speedy Attackers

One thing is clear: these attackers are not wasting any time. The analysts report that these attacks lasted for nine days on average, but some were as quick as a couple of hours. It’s like a cyber hit-and-run, leaving defenders scratching their heads. The reason for this rapid-fire approach? It seems ransomware adds strategic and operational benefits that make it harder to pinpoint who’s behind the attack. It’s like trying to catch a ghost in the machine.

The Big Picture

So, why use ransomware in cyberespionage? Well, it turns out it’s a pretty handy tool for confusing the heck out of everyone. By blending the lines between APT and cybercriminal activity, attackers make it harder to attribute the attack correctly. Plus, it provides a great cover for their primary goal—data theft. The attribution of past ransomware incidents to a cyberespionage threat actor like ChamelGang is new and shows that adversaries are always evolving, adapting their tactics to stay one step ahead of defenders. It’s like playing a never-ending game of whack-a-mole, but with way more at stake.