A China-backed advanced persistent threat (APT) group, known as ChamelGang or CamoFei, has been using ransomware to disguise its cyberespionage operations for the past three years, according to researchers at SentinelOne. This threat actor has recently targeted critical infrastructure organizations in East Asia and India, including an aviation organization in the Indian subcontinent and the All India Institute of Medical Sciences (AIIMS). However, ChamelGang has also targeted government and private sector organizations in the US, Russia, Taiwan, and Japan.
What sets ChamelGang apart is its regular use of a ransomware tool called CatB to distract from its cyberespionage activities. By disguising their operations as ransomware attacks, adversarial countries can evade attribution and claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities. This misdirection could have strategic repercussions, especially in the context of attacks on government or critical infrastructure organizations. Additionally, ransomware allows cyberespionage actors to cover their tracks by destroying evidence that would link them to data theft activities.
ChamelGang is not the only China-nexus cyberespionage group using ransomware in this manner. APT41 and Bronze Starlight are other examples of threat actors utilizing ransomware for cyberespionage purposes. According to Aleksandar Milenkoski, a senior threat researcher at SentinelOne’s SentinelLabs, cyberespionage clusters often use ransomware for disruption or financial gain. In ChamelGang’s case, ransomware is deployed towards the end of missions when covertness is no longer necessary. Ransomware can serve as a smokescreen for exfiltrating intelligence-relevant data and deflecting blame.
ChamelGang has been identified by other security firms like Positive Technologies and Team5 as a group focused on data theft and cyberespionage. Positive Technologies reported on the group’s activities in September 2021 after investigating a breach at an energy company where the threat actor disguised its malware and infrastructure to resemble legitimate services from major tech companies. Team5, tracking the group as Camo Fei, has been active since at least 2019 and employs a variety of malware tools in its campaigns, including Cobalt Strike, DoorMe, IISBeacon, MGDrive, and the CatB ransomware tool.
SentinelOne’s research indicates that ChamelGang’s recent focus on East Asia and the Indian subcontinent is driven by geopolitical tensions, regional rivalries, and a race for technological and economic superiority. The group deployed CatB ransomware in attacks on India’s AIIMS and the Brazilian government in 2022 after using tools like BeaconLoader and Cobalt Strike in earlier phases of the intrusion. The interest in conducting both cyberespionage and financially motivated activities, including ransom collection, depends on the threat actors’ objectives when targeting an organization.
In conclusion, the use of ransomware as a distraction by cyberespionage groups like ChamelGang highlights the complexity of modern cyber threats. By blending ransomware with data theft and espionage operations, threat actors can evade detection and attribution, posing significant challenges for organizations and security researchers alike. As these tactics evolve, it is crucial for defenders to stay vigilant and adapt their security measures to address the changing threat landscape effectively.