Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage

A China-linked state-sponsored hacking group named Bronze Starlight was observed deploying various ransomware families to hide the true intent of its attacks.

A China-linked state-sponsored hacking group named Bronze Starlight was observed deploying various ransomware families to hide the true intent of its attacks.

In attacks observed as early as mid-2021, the threat group started using the HUI Loader to drop ransomware such as AtomSilo, LockFile, Night Sky, Pandora, and Rook.

The short lifespan of each ransomware family, victimology, and the access to tools employed by Chinese nation-state threat actors (including known vulnerabilities and the HUI Loader) led researchers with cybersecurity firm Secureworks to believe that Bronze Starlight is likely interested in cyberespionage and intellectual property (IP) theft rather than financial gain.

Since at least 2015, HUI Loader has been used for the delivery of remote access trojans (RATs) and other types of malware, including Cobalt Strike, QuasarRAT, PlugX, and SodaMaster.

Starting in 2021, the loader has been used in campaigns focused on intellectual property theft, with two distinct clusters of activity identified: Bronze Riverside (APT10), which has been focusing on compromising Japanese organizations, and Bronze Starlight, which employs ransomware to distract incident responders and likely to destroy evidence of intrusion.

Secureworks analyzed the aforementioned five ransomware families – which were linked to HUI Loader samples that used to deploy Cobalt Strike Beacon – and discovered that they were built from two distinct codebases: an early one for AtomSilo and LockFile, and a more recent one – most likely based on leaked Babuk ransomware source code – for Night Sky, Pandora, and Rook.

“The use of HUI Loader to load Cobalt Strike Beacon, the Cobalt Strike Beacon configuration information, the C2 infrastructure, and the code overlap suggest that the same threat group is associated with these five ransomware families,” the researchers note.

The cybersecurity firm also discovered that the same network had been compromised by both Bronze Starlight and Bronze University, which deployed the ShadowPad malware. The intrusions started in November 2021 and overlapped for several weeks.

Advertisement. Scroll to continue reading.

“The simultaneous and continued operations by another Chinese threat group on the same network suggests that the two groups may have deconflicted their post-intrusion activity. This scenario assumes collaboration and knowledge sharing between the groups. It could indicate that Bronze Starlight participates in government-sponsored intelligence-gathering efforts rather than being a purely financially motivated threat group,” Secureworks notes.

What’s more, the victimology and operational cadence of the five ransomware families do not align with the operations typically associated with financially-motivated threat actors.

Of a total of 21 known victims associated with AtomSilo, Night Sky, Pandora, and Rook, roughly 15 are of interest to Chinese state-sponsored cyberespionage groups. These include pharmaceutical companies, electronic component designers and manufacturers, a media company, and the aerospace and defense unit of an Indian conglomerate.

Related: Chinese Cyberespionage Group Starts Using New ‘PingPull’ Malware

Related: Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in ‘SeaFlower’ Campaign

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Jason Hogg has been named Executive Chairman of CYPFER.

HUB Cyber Security has appointed former PayPal and American Express executive Paul Parisi as its Global Chief Revenue Officer.

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.