By - Symantec researchers observed Chinese state-sponsored threat actors running ransomware against an Asian software and services firm
- They claim it’s highly unusual activity for state attackers
- The attackers demanded $2 million in ransom
Emperor Dragonfly, a known Chinese state-sponsored threat actor, recently did something unusual – it deployed a ransomware encryptor on a target’s network.
A report from Symantec’s Threat Hunter Team, which observed the attack in late 2024, noted how they had observed, on multiple occasions, the group doing what it usually does – side-loading malicious DLL files (via a legitimate Toshiba executable) to drop backdoors and establish persistence. The goal was, as it’s usual with state-sponsored attackers, cyber-espionage.
The victims were mostly foreign ministries of eastern European countries, and similar state agencies. But then, in late 2024, Emperor Dragonfly was seen using the same method to establish persistence – and then drop a ransomware payload – against an Asian software and services company. The group used the RA World ransomware variant, and demanded $2 million in ransom ($1 million if paid within three days).
A distraction
For Chinese state-sponsored threat actors, this is highly unusual, Symantec says. North Korean actors are often engaged in ransomware and are using the stolen money to fund their state agencies and weapons programs. The Chinese, however, are more interested in cyber-espionage. That being said, Symantec suspects that the ransomware attack, in this case, may have been a distraction, to hide the tracks of a larger operation – most likely an espionage one.
The initial attack vector was not disclosed, but the hackers did state that they abused a known Palo Alto PAN-OS vulnerability (CVE-2024-0012) to breach the infrastructure. “The attacker then said administrative credentials were obtained from the company’s intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers,” the researchers explained.
The final step was using the same DLL side-loading methodology.
