On Thursday, researchers with the Symantec security firm reported on a collaboration that worked the opposite way—use by the RA World ransomware group of a “distinct toolset” that previously has been seen used only in espionage operations by a China-linked threat group.
The toolset, first spotted in July, was a variant of PlugX, a custom backdoor. Timestamps within the toolset were equivalent to those found by security firm Palo Alto Network within the Thor PlugX variant, which company researchers linked to a Chinese espionage group tracked under the names Fireant, Mustang Panda, and Earth Preta. The variant also had similarities to the PlugX type 2 variant found by security firm Trend Micro.
Further espionage attacks involving the identical PlugX variant occurred in August, when the attacker compromised the federal government of a southeastern European country. That very same month, the attacker compromised a government ministry in a Southeast Asian country. In September 2024, the attacker compromised a telecoms operator in that region, and in January, the attacker targeted a government ministry in one other Southeast Asian country.
Symantec researchers have competing theories concerning the reason for this collaboration:
There’s evidence to suggest that this attacker could have been involved in ransomware for a while. In a report on RA World attacks, Palo Alto said that it had found some links to Bronze Starlight (aka Emperor Dragonfly), a China-based actor that deploys different ransomware payloads. One in all the tools utilized in this ransomware attack was a proxy tool called NPS, which was created by a China-based developer. This has previously been utilized by Bronze Starlight. SentinelOne, meanwhile, reported that Bronze Starlight had been involved in attacks involving the LockFile, AtomSilo, NightSky, and LockBit ransomware families.
It’s unclear why an actor who appears to be linked to espionage operations can also be mounting a ransomware attack. While this will not be unusual for North Korean threat actors to interact in financially motivated attacks to subsidize their operations, there is no such thing as a similar history for China-based espionage threat actors, and there is no such thing as a obvious reason why they’d pursue this strategy.
One other possibility is that the ransomware was used to cover up evidence of the intrusion or act as a decoy to attract attention away from the true nature of the espionage attacks. Nonetheless, the ransomware deployment was not very effective at covering up the tools utilized in the intrusion, particularly those linking it back to prior espionage attacks. Secondly, the ransomware goal was not a strategically significant organization and was something of an outlier in comparison with the espionage targets. It seems unusual that the attacker would go to such lengths to cover up the character of their campaign. Finally, the attacker gave the impression to be serious about collecting a ransom from the victim and appeared to have spent time corresponding with them. This normally wouldn’t be the case if the ransomware attack was simply a diversion.
The more than likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employer’s toolkit.
Tuesday’s report from Mandiant also noted the usage of state-sponsored malware by crime groups. Mandiant researchers also reported observing what they imagine are Dual Motive groups that seek each financial gain and access for espionage.
