Chinese APT groups [5] [7] [9], such as ChamelGang (also known as CamoFei), and North Korean threat actors have been engaging in cyber-espionage activities globally from 2021 to 2023.


ChamelGang has been linked to cyber attacks on the All India Institute of Medical Sciences (AIIMS) and the Presidency of Brazil in 2022 using CatB ransomware [3] [4], as well as targeting a government entity in East Asia and an aviation organization in the Indian subcontinent in 2023 [3] [4]. These threat actors are utilizing ransomware variants like CatB [9], BestCrypt [2] [3] [4] [5] [7] [9], and BitLocker to mask their true intentions and potentially gain financial rewards. The tactics observed align with those associated with Chinese hacking group APT41 and North Korean actor Andariel [4], utilizing tools such as the China Chopper web shell and a backdoor known as DTrack [4]. ChamelGang is specifically focused on data theft and cyber espionage in sectors such as government, healthcare [1], telecommunications [1], energy [1], water [1], and high-tech [1]. Ransomware serves as a distraction or misattribution tactic [5], enabling hostile nations to claim plausible deniability for their actions. Collaboration between law enforcement and intelligence agencies is crucial to uncovering the true perpetrators and motives behind these cyber-espionage operations [9], as a lack of information sharing could result in missed intelligence opportunities and strategic consequences. Ransomware activities by APT groups blur the lines between cybercrime and cyberespionage, providing adversaries with operational advantages by disrupting systems and obliterating attribution-relevant artifacts [5]. Cyber-espionage groups are leveraging ransomware attacks to camouflage their sabotage and data theft efforts as ordinary crimes [2], offering plausible deniability against accusations of espionage [2]. These attacks are believed to be espionage operations orchestrated by state actors rather than criminal activities for financial gain [2]. Ransomware attacks serve as a diversion for other subversive activities [2], making it challenging to ascertain the true motive behind an attack [2]. Malicious actors have exploited BestCrypt and BitLocker security tools in attacks on industries in Europe and the Americas [2], with methods and tools overlapping with previous intrusions linked to suspected Chinese and North Korean APT clusters [2]. Furthermore, another series of intrusions involve the use of Jetico BestCrypt and Microsoft BitLocker in cyber attacks impacting various industry verticals in North America [3] [4], South America [2] [3] [4], and Europe [2] [3] [4], with as many as 37 organizations [3] [4], primarily in the US manufacturing sector [3] [4] [5], estimated to have been targeted [3]. Chinese-linked cyberespionage groups are increasingly incorporating ransomware into their operations to generate revenue [8], divert attention [7], or complicate attribution [8]. State-sponsored hackers are now using ransomware to conceal their activities, with reported attacks against the Brazilian presidency and the All India Institute of Medical Sciences attributed to a suspected Chinese-linked cyberespionage operation known as ChamelGang or CamoFei [8]. This strategy allows adversarial nations to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities [8]. Misattributing cyberespionage as financially motivated cybercrime can have strategic repercussions [8], particularly when targeting government or critical infrastructure organizations [8] [9]. Ransomware attacks typically encrypt files and data [8], with attackers sometimes failing to decrypt the data [8], transforming the attack into a destructive one [8]. This plays into the hands of cyberespionage groups [8], who can pose as destructive ransomware operators and erase intrusion-related artifacts [8], complicating attribution [6] [8]. Top US officials have expressed concerns about aggressive Chinese cyber capabilities prepositioned in sensitive US civilian networks [8], known as Volt Typhoon [8], designed to influence US decision-making in potential conflicts [8]. Chinese hackers utilizing ransomware is not unprecedented [8], with previous activities attributed to APT41 involving state-sponsored espionage and potentially financially motivated actions possibly beyond state control [8]. Russian military intelligence has also employed disruptive and destructive malware [8], including ransomware [1] [2] [6] [7] [8] [9], during its operations in Ukraine. Ransomware can temporarily mislead attribution and amplify the psychological aspect of an operation [8], facilitating the rapid replenishment of disruptive tools [8]. Ransomware as part of state-aligned operations can act as a smokescreen for various objectives [8], including intelligence gathering and wargaming scenarios [8].


The use of ransomware by APT groups for cyber-espionage purposes poses significant challenges for attribution and security. Collaboration between law enforcement and intelligence agencies is essential to uncovering the true motives behind these attacks and mitigating their impact. As ransomware attacks continue to evolve and blur the lines between cybercrime and cyberespionage, it is crucial for organizations and governments to remain vigilant and proactive in defending against these threats.