Suspected Chinese APT Group ChamelGang Targets Critical Infrastructure with Ransomware
- Notable intrusions in the past three years were carried out by a Chinese cyberespionage actor targeting critical infrastructure.
- The threat group used the CatB ransomware to attack entities in India, Brazil, and more.
- Security researchers say cybercrime and cyber espionage start to mix in some cases.
Suspected Chinese APT group ChamelGang targeted the major Indian healthcare institution AIIMS and the Brazilian Presidency in 2022 using the CatB ransomware, a new report from Recorded Future and SentinelLabs says. This group’s attacks remain publicly unattributed to date.
ChamelGang also targeted an East Asian government organization and critical infrastructure sectors, including an aviation organization in the Indian subcontinent.
Cyberespionage actors are increasingly using ransomware as a final stage in their operations to gain financial gain, disrupt, distract, or remove evidence. Between 2021 and 2023, the security researchers tracked two separate activity clusters that focused on government and critical infrastructure sectors around the world.
One was associated with the suspected Chinese APT group ChamelGang (also known as CamoFei), which uses custom malware BeaconLoader and CatB ransomware. Previous ChamelGang attacks targeted critical sectors in Russia, as well as government and private organizations in other countries such as the U.S., Taiwan, and Japan.
The other appears to be linked to suspected Chinese and North Korean APT groups, most of which involved ransomware or data encryption tooling. The second malicious activity cluster affected the U.S. manufacturing sector primarily but also several industries in North America, South America, and Europe.
These attacks involved off-the-shelf tools Jetico BestCrypt and Microsoft BitLocker, which were used to encrypt endpoints and demand ransom. Between early 2021 and mid-2023, they affected 37 organizations, mostly from the manufacturing sector.