In a surprising turn of events, Emperor Dragonfly, a Chinese state-sponsored threat actor, recently veered off their typical cyber-espionage path and ventured into the realm of ransomware attacks. Symantec researchers, who closely monitored the group’s activities, made a shocking discovery in late 2024 when they observed Emperor Dragonfly deploying a ransomware encryptor on the network of an Asian software and services firm.
The modus operandi of Emperor Dragonfly typically involved side-loading malicious DLL files using a legitimate Toshiba executable to establish backdoors and ensure persistence on their target’s network. Their usual targets were foreign ministries of eastern European countries and similar state agencies, where the primary objective was to engage in cyber-espionage activities.
However, the latest attack on the Asian software and services firm marked a significant departure from their usual tactics. The group utilized the RA World ransomware variant, which they deployed after establishing persistence on the network. Shockingly, they demanded a ransom of $2 million, with a reduced amount of $1 million if paid within three days.
Symantec researchers highlighted the anomaly of Chinese state-sponsored threat actors engaging in ransomware attacks. Unlike North Korean actors who often resort to ransomware to fund state agencies and weapons programs, the Chinese typically prioritize cyber-espionage activities. This deviation led researchers to speculate that the ransomware attack may have served as a distraction to conceal a larger espionage operation.
The specific details of the initial attack vector were not disclosed, but the hackers admitted to exploiting a known Palo Alto PAN-OS vulnerability (CVE-2024-0012) to breach the firm’s infrastructure. Subsequently, they obtained administrative credentials from the company’s intranet and then accessed Amazon S3 cloud credentials from the Veeam server to steal data from S3 buckets before encrypting computers. The attackers ultimately employed the same DLL side-loading technique to execute the ransomware payload.
This unprecedented move by Emperor Dragonfly has raised concerns among cybersecurity experts, as it signifies a potential shift in tactics by Chinese state-sponsored threat actors. The incident underscores the evolving landscape of cyber threats, where even sophisticated state actors are not immune to engaging in ransomware attacks. As organizations continue to bolster their cybersecurity defenses, it is imperative to remain vigilant and adaptable to combat such emerging threats effectively.
In conclusion, the ransomware attack orchestrated by Emperor Dragonfly against the Asian software and services firm serves as a stark reminder of the ever-evolving nature of cybersecurity threats. By diversifying their tactics, threat actors can circumvent traditional defense mechanisms and pose a significant risk to organizations worldwide. As the cybersecurity landscape continues to evolve, collaborative efforts between organizations, cybersecurity professionals, and researchers are essential to mitigate the impact of such advanced threats and safeguard critical data and infrastructure.