Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage

A China-linked state-sponsored hacking group named Bronze Starlight was observed deploying various ransomware families to hide the true intent of its attacks.

In attacks observed as early as mid-2021, the threat group started using the HUI Loader to drop ransomware such as AtomSilo, LockFile, Night Sky, Pandora, and Rook.

The short lifespan of each ransomware family, victimology, and the access to tools employed by Chinese nation-state threat actors (including known vulnerabilities and the HUI Loader) led researchers with cybersecurity firm Secureworks to believe that Bronze Starlight is likely interested in cyberespionage and intellectual property (IP) theft rather than financial gain.

Since at least 2015, HUI Loader has been used for the delivery of remote access trojans (RATs) and other types of malware, including Cobalt Strike, QuasarRAT, PlugX, and SodaMaster.

Starting in 2021, the loader has been used in campaigns focused on intellectual property theft, with two distinct clusters of activity identified: Bronze Riverside (APT10), which has been focusing on compromising Japanese organizations, and Bronze Starlight, which employs ransomware to distract incident responders and likely to destroy evidence of intrusion.

Secureworks analyzed the aforementioned five ransomware families – which were linked to HUI Loader samples that used to deploy Cobalt Strike Beacon – and discovered that they were built from two distinct codebases: an early one for AtomSilo and LockFile, and a more recent one – most likely based on leaked Babuk ransomware source code – for Night Sky, Pandora, and Rook.

“The use of HUI Loader to load Cobalt Strike Beacon, the Cobalt Strike Beacon configuration information, the C2 infrastructure, and the code overlap suggest that the same threat group is associated with these five ransomware families,” the researchers note.

The cybersecurity firm also discovered that the same network had been compromised by both Bronze Starlight and Bronze University, which deployed the ShadowPad malware. The intrusions started in November 2021 and overlapped for several weeks.

“The simultaneous and continued operations by another Chinese threat group on the same network suggests that the two groups may have deconflicted their post-intrusion activity. This scenario assumes collaboration and knowledge sharing between the groups. It could indicate that Bronze Starlight participates in government-sponsored intelligence-gathering efforts rather than being a purely financially motivated threat group,” Secureworks notes.

What’s more, the victimology and operational cadence of the five ransomware families do not align with the operations typically associated with financially-motivated threat actors.

Of a total of 21 known victims associated with AtomSilo, Night Sky, Pandora, and Rook, roughly 15 are of interest to Chinese state-sponsored cyberespionage groups. These include pharmaceutical companies, electronic component designers and manufacturers, a media company, and the aerospace and defense unit of an Indian conglomerate.

Related: Chinese Cyberespionage Group Starts Using New ‘PingPull’ Malware

Related: Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in ‘SeaFlower’ Campaign

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability