Unusual attack linked to Chinese APT group combines espionage and ransomware

In an intriguing development, researchers have observed a ransomware actor using tools previously associated with China-based cyberespionage efforts. While mixing espionage and ransomware activities is common for North Korean APTs, it’s unusual for Chinese groups.

“The most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employer’s toolkit,” researchers from Broadcom’s Symantec team said in a new report on the incident.

The attack deployed a ransomware program called RA World against a medium-sized software and services company in South Asia but also used a variant of PlugX that was observed last year in multiple cyberespionage attacks against geopolitical targets: the governments of two southeastern European countries, ministries from two Southeast Asian countries, and a telecom operator from the same region.

Symantec said in its report that an “espionage actor may be moonlighting as RA World attacker” and that it is unclear why an espionage-linked bad actor would also mount a ransomware attack.

“While this is not unusual for North Korean threat actors to engage in financially motivated attacks to subsidize their operations, there is no similar history for China-based espionage threat actors, and there is no obvious reason why they would pursue this strategy.”

Ransomware groups (those who develop the malware and run the data leak site and negotiation site/chat service) regularly work with affiliates who do the actual hacking, exfiltrate data, deploy the ransomware, and then get a cut from the ransom if successful — usually the biggest portion of the ransom. So, the attacker could have been an affiliate, someone who is part of an APT group that carries out cyber espionage but also decided to work for RA World to make some money on the side — at least that’s one of Symantec’s theories.

The PlugX cyber espionage toolset

PlugX itself is a remote access trojan that has been in development since 2008 and has been used by many Chinese state-sponsored APT groups over the years. This is not unusual as toolset sharing is a known attribute of Chinese cyberespionage efforts. However, PlugX is not considered publicly available malware and is exclusively used by Chinese APTs.

The particular PlugX variant, or plug-in, that was observed together with ransomware by Symantec, has previously been linked by researchers from Palo Alto Networks and Trend Micro to a Chinese APT group tracked in the industry as Mustang Panda, Earth Preta, Fireant, or PKPLUG.

In past cyberespionage attacks, this backdoor was delivered using a legitimate Toshiba executable called toshdpdb.exe that sideloaded a malicious DLL called toshdpapi.dll. This technique is known as DLL hijacking or sideloading and exploits the behavior of some legitimate applications that search for particularly named DLL files to load from the same directory as the parent process. The rogue DLL then extracted, decrypted and loaded a payload from a file called TosHdp.dat that turned out to be the PlugX variant.

The attacker demanded a $2-million ransom

The attack that resulted in the deployment of the RA World ransomware program, as well as data exfiltration, had the same chain: the toshdpdb.exe loading toshdpapi.dll then decrypting toshdp.dat which resulted in the PlugX variant being deployed. The difference is the attacker then chose to deploy the RA World ransomware and demand a $2-million ransom.

“While no infection vector was found, the attacker later claimed that the target’s network was compromised by exploiting a known vulnerability in Palo Alto’s PAN-OS (CVE-2024-0012) firewall software,” the Symantec researchers said. “The attacker then said administrative credentials were obtained from the company’s intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers.”

RA World, originally known as RA Group, is a ransomware operation that first appeared in 2023 and has grown steadily since then. The group has targeted organizations from the US, Europe and Southeast Asia, with the US seeing the highest number of victims.

Based on a Palo Alto Networks analysis of victims between mid-2023 to mid-2024 the manufacturing sector was most impacted, followed by transportation and logistics, wholesale and retail, insurance, pharma, and healthcare.

APT and cybercriminal tactics are usually incompatible

The mixture of cyberespionage and ransomware activities is not unheard of, but it is a rare occurrence because these operations typically have competing goals that require different approaches. The goal of cyber espionage is intelligence collection, so remaining undetected in the victim’s network for as long as possible is a priority. Meanwhile, the data encryption part of ransomware attacks is highly visible, immediately giving away the attacker’s presence.

However, there have been cases where intelligence agencies have contracted, or forced, private hackers to do their bidding in exchange for protection from prosecution or other privileges. This has resulted in cases where some threat groups appeared to engage in both cyberespionage and financial crimes at the same time. And even though those operations were kept separate, there was an inevitable overlap of toolsets and tactics.

For example, APT41, also known as Winnti, Axiom, Barium, or Wicked Panda, is one of the oldest Chinese cyberespionage groups with its intrusion activities dating as far back as 2007. For a long time, this group operated from a front company called Chengdu 404 Network Technology Company which security experts believe acted as a contractor for China’s Ministry of State Security and the People’s Liberation Army.

China is usually seeking intelligence while North Korea has financial motives

While the group’s targeting often follows China’s geopolitical and intelligence collection interests, it has also been responsible for financially motivated attacks primarily against the online gaming industry. Several Chinese nationals who are suspected members of APT41 were indicted in the US in 2019 and 2020 and are on the FBI’s most-wanted list.

North Korean state-run APT groups regularly engage in cybercrime activities and have stolen billions of dollars in cryptocurrency and engaged in fraudulent wire transfers over the years. They have also developed and deployed ransomware. These are typical methods of funding the regime in Pyongyang, which has long been under economic sanctions.

Russia is another country with a history of intelligence agencies working with civilian hackers and cybercriminal elements, a trend that has intensified in recent years following its invasion of Ukraine. Microsoft reported last year that the Russian government appears to have outsourced some cyberespionage and sabotage operations to cybercriminal groups.