So what do Chinese government-supported hackers turn to after China backed off on supporting economic espionage? Applying their APT skills to infecting companies with ransomware…at least that is the prevailing theory put forth by several security firms.
If China really did pull its previous level of support for economic espionage after its agreement with the US late last year, then those same hackers may be supplementing their income by joining the booming business of ransomware.
Security firms involved in investigating ransomware attacks that have not previously been made public told Reuters that Chinese hackers are the most likely suspects behind the attacks. It should be noted that none of the security companies could be positive that plain-old cybercrooks weren’t behind the attacks after upping their game, improving skills and purchasing tools previously used only by governments. At least a half dozen ransomware attacks in the last three months have a level of sophistication that is usually only used in state-sponsored attacks.
InGuardians CEO Jimmy Alderson told Reuters that his company investigated a ransomware attack launched with online credentials stolen six months ago in a suspected APT espionage hack. He said, “The tactics of getting access to these networks are APT tactics, but instead of going further in to sit and listen stealthily, they are used for smash-and-grab.”
Since December, the security firms Attack Research, InGuardians and G-C Partners each investigated three such ransomware attacks. Attack Research Chief Executive Val Smith believes the Chinese cyber-espionage group Codoso is the most likely candidate behind ransomware attacks in the last three months. Smith also believes “some government hackers or contractors could be out of work or with reduced work and looking to supplement their income via ransomware.”
The top dog of an incident response team at Dell SecureWorks had the most to say to Reuters. Phil Burdette said his team had investigated three cases in the last three months which involved sophisticated attackers exploiting known flaws in application servers and then installing “malicious programs” – presumably ransomware since that is what the article is about – on over 100 computers in each of the three companies. “It is obviously a group of skilled operators that have some amount of experience conducting intrusions,” Burdette said.
The targeted companies, according to Reuters, did not want to be identified and none of the ransomware attacks have previously been reported. Those victims however “included a transportation company and a technology firm that had 30 percent of its machines captured.”
Burdette suggested that victim companies may have been penetrated for cyber espionage some time ago, but now that China isn’t as supportive as it was for stealing trade secrets, the attackers are “taking as much as they could on the way out.” One of Dell cases “means access by the team spreading the ransomware was established in 2013.”
As if ransomware weren’t a booming cybercrime business right now, Reuters reported that with more sophisticated hackers jumping into the digital extortion game, it “promises to intensify the threat.”
Chinese spokespeople basically rolled their eyes and made no comments on the “rumors and speculation” that its cyber soldiers were involved in ransomware attacks on US companies.