China-Linked Hackers Unveiled in Major Ransomware Scheme

• Symantec researchers observed Chinese state-sponsored threat actors running ransomware against an Asian software and services firm
• They claim it’s highly unusual activity for state attackers
• The attackers demanded $2 million in ransom

In a striking development, Emperor Dragonfly, a known Chinese state-sponsored threat actor, has deviated from its typical modus operandi by launching a ransomware attack on an Asian software and services company. This unusual tactic caught the attention of Symantec’s Threat Hunter Team, who monitored the incident in late 2024. Traditionally, this group has focused on cyber-espionage, often targeting foreign ministries in Eastern Europe and various state agencies. However, the deployment of a ransomware encryptor indicates a potential shift in strategy that merits further investigation.

• Observations by Symantec
• Attack Methodology
• Possible Distraction

Observations by Symantec

In their report, the researchers emphasized that the actions of Emperor Dragonfly were highly uncharacteristic of state-sponsored actors from China. The group is typically identified with activities aimed at gathering intelligence rather than engaging in extortion. Here are crucial points highlighted by Symantec:

• Unusual Activity: The use of ransomware in this context is an anomaly for Chinese hackers, contrasting sharply with North Korean cyber campaigns, which frequently involve financial gain through such means.
• Targeted Victim: The recent victim was an Asian software and services firm, marking a significant strategic divergence in targets.
• Ransom Demand: The attackers demanded a ransom of $2 million, with a discounted offer of $1 million if paid swiftly within three days.

Interestingly, while state-sponsored actors generally favor cyber-espionage, this ransomware incident raises questions about whether the motive was merely a financial gain or served as a guise for deeper espionage objectives. Symantec’s analysis suggests that while ransomware is not typically part of the Chinese regime’s playbook, its appearance here might indicate a sophisticated layer to the overarching agenda.

Attack Methodology

According to the findings, the initial attack vector employed by Emperor Dragonfly involved exploiting a known vulnerability in Palo Alto’s PAN-OS (CVE-2024-0012). This breach facilitated access to the organization’s infrastructure, leading to the following series of actions:

• Credential Theft: The attackers claimed to have acquired administrative credentials from the company’s intranet.
• Data Access: They successfully stole Amazon S3 cloud credentials from the Veeam server, permitting access to sensitive data stored within S3 buckets.
• Ransomware Deployment: After establishing persistence using malicious DLL side-loading techniques, the group initiated the encryption of the victim’s computers.

This method of side-loading allows the attackers to bypass security mechanisms and lay the groundwork for maintaining control over the targeted network. By deploying the RA World ransomware variant, they further escalated the impact of their operations. This systematic approach exemplifies the sophistication and adaptability of state-sponsored threat actors, even when venturing into less familiar territory such as financial extortion.

Possible Distraction

Researchers speculate that this ransomware attack may indeed serve a more complex underlying purpose. While the immediate goal appears to be financial gain, it is plausible that it acts as a distraction to mask broader espionage efforts. As noted by Symantec, the traditional focus for the Emperor Dragonfly group has been on acquiring information and intelligence, primarily for state interests. This shift could be interpreted as follows:

• Cover for Espionage: The ransomware operation might be a calculated ploy to divert attention from more sinister activities occurring simultaneously.
• Funding Mechanism: While less common among Chinese state actors, the profits from such illicit endeavors could theoretically support state operations.
• Innovation in Tactics: Engaging in ransomware may suggest an evolution in tactics, potentially influenced by techniques utilized by other state-sponsored groups, notably those from North Korea.

The complexity of modern cyber warfare necessitates astute observation and adaptability from nation-states, especially as threat actors like Emperor Dragonfly explore new avenues for both gathering intelligence and achieving financial objectives. As we delve deeper into 2025, vigilance and robust cybersecurity measures become paramount for organizations in technology-sensitive sectors.

You might also like

• Chinese hackers develop effective new hacking technique to go after business networks
• We’ve rounded up the best password managers
• Take a look at our guide to the best authenticator app