- Symantec researchers observed threat actors sponsored by the Chinese state that performing ransomware against a software and Asian services company
- They claim that it is a very unusual activity for state attackers
- The attackers asked for $ 2 million in ransom
Emperor Dragonfly, a Chinese threatening actor sponsored by the Chinese state, recently did something unusual – he deployed a ransomware encryptor on the network of a target.
A report by the Symantec Hunter team, who observed the attack at the end of 2024, noted how they had observed, on several occasions, the group doing what it usually does – malicious DLL files to load Lateral (via a legitimate executable of Toshiba) to drop the rear-grounds and establish persistence. The objective was, as it is usual with the attackers sponsored by the State, cyber-espionage.
The victims were mainly foreign ministries from Eastern European countries and similar state agencies. But then, at the end of 2024, the Emperor Dragonfly was seen using the same method to establish the persistence – then abandon a payload of Ransomware – against an Asian software and services company. The group used the ransomware RA world variant and demanded $ 2 million in ransom ($ 1 million if they are paid within three days).
A distraction
For actors in the Chinese threat sponsored by the state, it is very unusual, known as Symantec. North Korean actors are often engaged in ransomware and use stolen money to finance their state agencies and arms programs. The Chinese, however, are more interested in cyber-espionage. That said, Symantec suspects that the attack on ransomware, in this case, may have been a distraction, to hide the tracks of a more important operation – most likely spy.
The initial attack vector was not disclosed, but the pirates said they had abused a known vulnerability of Palo Alto Pan-Os (CVE-2024-0012) to violate the infrastructure. “The striker then declared that the administrative identification information had been obtained from the company’s intranet before stealing the Amazon S3 Cloud identification information to his Veeam server, using them to steal data from Its S3 buckets before encrypting computers, “said the researchers.
The last step was to use the same DLL lateral loading methodology.
