Chinese hackers utilize ransomware as a disguise for their activities

Researchers from SentinelOne and Recorded Future, two American companies specializing in cybersecurity, published on June 26 a report on Chinese cyber espionage actors, including the advanced persistent threat (APT) group ChamelGang. They reveal that these cybercriminal groups have been using ransomware as the final step in their cyber espionage operations since 2021.

By deploying ransomware, cybercriminals cover their tracks


The use of ransomware during a cyber espionage operation is implemented by hackers as a distraction tactic, but also to prevent hackers from being detected. To cover their tracks, different threat groups purchase ransomware that is shared between multiple cybercriminals. The cyber attack can then be more easily attributed to a “neutral” malicious group than to a state-sponsored one. This deployment of ransomware also helps to camouflage the data leak caused by the cyber espionage operation, with hackers subsequently carrying out a double extortion: one to decrypt the data, and the second to not disclose it.

Researchers have identified cyberattacks attributed to the Chinese state-affiliated group ChamelGang, or CamoFei, in 2023. One of them involves a government organization in East Asia and the other an aviation entity in the sub -Indian continent. To break into systems, hackers leveraged publicly available tools to gain elevated privileges, before resorting to a reverse proxy to route malicious traffic. The gang also used its own malware, BeaconLoader, by masquerading as other Windows services or software components.

Spoofed Domain Names and Fake SSL Certificates

In 2022, two cyberattacks were carried out against the Brazilian presidency, impacting 192 computers of the federal executive branch, and against the public group of medical universities in India. These acts were formally identified as ransomware attacks, without any claim or attribution. SentinelOne researchers discovered that these institutions were targeted using the CatB ransomware developed by ChamelGang. For the Taiwanese cybersecurity company TeamT5, which published a report on ChamelGang's activities in August, the similarities in the code, preparation mechanisms and malware artifacts (certificates, interfaces) clearly indicate that CatB is linked to ChamelGang.


The existence of ChamelGang was first revealed in 2021 by researchers from the Russian company Positive Technologies. The gang operates mainly by acquiring domain names imitating legitimate domains (belonging to Microsoft, McAfee, IBM, and GitHub among others) and placing fake SSL certificates on its servers. Cybercriminals then maliciously use programs like Cobalt Strike, Tiny ShellBeaconLoader or DoorMe.

A talking point for the Chinese authorities

Hackers also exploited a series of vulnerabilities affecting Microsoft Exchange. ChamelGang then targeted energy and aeronautical companies in Russia, but also 13 other organizations in the United States, Asia (JapanTaiwan, Vietnam, IndiaAfghanistan, Nepal, Turkey) and Lithuania. Corrupted government servers were discovered in particular.

The classification of a ransomware attack has even become a pretext for senior Chinese officials to hide their cyberespionage operations. In April, Lin Jian, China's Foreign Ministry, claimed that the Volt Typhoon hacker group was a ransomware group not sponsored by any state or region. A report published in February by several American (CISA, NSA, FBI), Australian, Canadian, New Zealand and British security agencies revealed that the Volt Typhoon hacker group, sponsored by the Chinese state, had infiltrated certain American critical infrastructure for at least five years.

Encryption software also used by Chinese hacker groups

Outside of ChamelGang’s activities, SentinelOne researchers observed infiltrations into the systems of 37 organizations using legitimate encryption software Microsoft BitLocker and Jetico BestCrypt. The hackers used these software maliciously, encrypting the endpoints to demand a ransom.

Here, the majority of the affected organizations are manufacturing, food, financial, and education industries, in North and South America, and Europe. The researchers were unable to determine with certainty whether Chinese cybercriminal groups were behind these types of attacks. However, they note that these infiltrations have many similarities to cyberattacks reported by New York-based cybersecurity firm LIFARS in 2020 and German firm DCSO in 2022. LIFARS attributed this attack to the advanced persistent threat group APT41, or Double Dragon, an actor affiliated with China's Ministry of State Security and suspected of conducting financially motivated operations in addition to cyberespionage campaigns.

Selected for you