I Spy a Ransomware Attack

The Situation: 

A recent joint report published by Recorded Future, SentinelOne, and TeamT5 revealed that several Chinese nation-state threat actors use ransomware during cyber-attacks, with the primary objective of espionage. Why use ransomware when the goal is to spy and/or steal valuable intellectual property? 

The Case for Ransoming an Espionage Victim 

Ransoming an espionage victim carries several advantages that can make it an ideal move for nation-state threat actors. First, it can cover both the true motivation and the tracks of a nation-state threat actor. Ransomware is a destructive event, which means evidence will likely be lost; evidence that can be used to paint the picture of an attacker’s kill chain. Additionally, ransomware is a known, well-documented attack scenario, so some responders and defenders will likely focus on recovery and responding to the immediate threat and stop there versus doing a full timeline analysis. This could mean missing the additional, more subtle indicators of compromise that may point toward espionage. 

Using ransomware also muddles attribution. We attribute activity to a threat actor via how and with what they operate (we’ll do a future blog post on the Diamond Model, diving into how this is done in more detail). If a threat can mimic the operations of another group (say a run-of-the-mill ransomware operator), then their identity and true motivations can remain hidden for longer. There is also the obvious advantage of financial benefits. If a group can get the information they require to fulfill their nation-state espionage objectives and get some ransom money on the side, that’s a win-win. This is especially true for nation-states like North Korea or Iran that leverage their cyber teams to pad their country’s bottom line. 

Finally, as with all things, there are also disadvantages to ransoming an espionage victim. First, the opportunity to stealthily reattack is diminished. Ransomware is loud, and the victim organization will likely go through their network with a fine-tooth comb. In other words, if a nation-state wants to have a persistent, undetected, and long-term connection to the victim organization, ransomware is likely not a choice they will employ. Using ransomware will also likely limit the toolset and capabilities a nation-state can bring to bear. A threat actor will likely not want to use a top-tier, never-before-seen tool on a network they will soon be loudly announcing their presence on via ransomware (this carries a high probability of that tool becoming public knowledge). 

The Takeaway 

Responding to a ransomware incident is challenging. Putting your head down, responding, recovering, and moving on with life is easy. However, if your organization is in a sector that regularly deals with information that would pique the interest of an adversary nation-state (e.g., the defense industrial base), always dig deeper. Do your best to understand the full timeline of events (how the threat actor gained initial access, propagated through the network, established persistence, etc.) and what exactly they accessed. This understanding will help your organization better prevent a future attack and paint a clear picture of what exactly the threat actor was trying to accomplish: intelligence that is invaluable to the broader cybersecurity community.