BRONZE STARLIGHT – Chinese APT Using Short-Lived Ransomware Families for Cyberespionage Activities

Several ransomware families have been identified as being used by a state-backed hacking group with China-linked origins using the name ‘Bronze Starlight’ to disguise the true objective of their raids for conducting cyberespionage activities.

When espionage operations are undertaken, ransomware is often used to obfuscate evidence, deliver attribution difficulties, and create several robust obstacles to distract security researchers.

In contrast to Chinese APT groups which exfiltrate sensitive information under the guise of financially motivated attacks, this is not the case with the groups sponsored by the Chinese government.

Activities

Since mid-2021, the security analysts at Secureworks have detected several attacks being performed with the HUI Loader by the threat group that was dropping the following ransomware:-

EHA
  • AtomSilo
  • LockFile
  • Night Sky
  • Pandora
  • Rook

Cybersecurity experts believes that the Chinese APT group, “Bronze Starlight” might be more interested in conducting cyberespionage activities and intellectual property theft than financial gain. 

This is considered due to the short lifespans of each ransomware family and its victims’ experiences, as well as its access to tools used by the Chinese state-backed hackers.

In Secureworks’ analysis of hacking activity, these two clusters are clearly noticeable:- 

  • Bronze Riverside (APT41)
  • Bronze Starlight (APT10)

The following RATs were deployed by both groups through the HUI Loader:-

Targeting & victimology

There is a common C2 address shared by all three attacks using AtomSilo, Night Sky, and Pandora in the configuration of Cobalt Strike beacons.

Moreover, this year, HUI Loader samples were also uploaded to Virus Total through the same source. 

These ransomware strains do not exhibit the characteristics of typical financially motivated ransomware operations with regards to activity and victimology. 

There is a brief period of time that the project is focused on a small number of victims and then it is abandoned completely.

Ransomware operations such as these, which have never really caught the attention of the cybercrime community, or become a significant threat, did not leave an impression on the cybercrime community. Furthermore, they had all left prematurely, because they had all abandoned the ship.

Tactical objectives

The following tactical objectives may have been achieved with the use of ransomware by BRONZE STARLIGHT in these incidents:-

  • Destroy evidence
  • Distract investigators
  • Exfiltrate data

Using the weaknesses in network perimeter devices, BRONZE STARLIGHT compromises networks. A Cobalt Strike Beacon is used for command and control functions by threat actors while deploying the HUI Loader to decrypt and execute it. 

After that, they deploy ransomware and carry out an exfiltration operation to get access to sensitive information on the victim’s system.

Moreover, the intention of these ransomware families is unclear, whether they serve as a ruse for another malicious act. While the use of ransomware in this manner isn’t the first time this has been done.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.