On Thursday, researchers with the Symantec security firm reported on a collaboration that worked the other way—use by the RA World ransomware group of a “distinct toolset” that previously has been seen used only in espionage operations by a China-linked threat group.
The toolset, first spotted in July, was a variant of PlugX, a custom backdoor. Timestamps in the toolset were identical to those found by security firm Palo Alto Network in the Thor PlugX variant, which company researchers linked to a Chinese espionage group tracked under the names Fireant, Mustang Panda, and Earth Preta. The variant also had similarities to the PlugX type 2 variant found by security firm Trend Micro.
Further espionage attacks involving the same PlugX variant occurred in August, when the attacker compromised the government of a southeastern European country. That same month, the attacker compromised a government ministry in a Southeast Asian country. In September 2024, the attacker compromised a telecoms operator in that region, and in January, the attacker targeted a government ministry in another Southeast Asian country.
Symantec researchers have competing theories about the reason for this collaboration:
There is evidence to suggest that this attacker may have been involved in ransomware for some time. In a report on RA World attacks, Palo Alto said that it had found some links to Bronze Starlight (aka Emperor Dragonfly), a China-based actor that deploys different ransomware payloads. One of the tools used in this ransomware attack was a proxy tool called NPS, which was created by a China-based developer. This has previously been used by Bronze Starlight. SentinelOne, meanwhile, reported that Bronze Starlight had been involved in attacks involving the LockFile, AtomSilo, NightSky, and LockBit ransomware families.
It is unclear why an actor who appears to be linked to espionage operations is also mounting a ransomware attack. While this is not unusual for North Korean threat actors to engage in financially motivated attacks to subsidize their operations, there is no similar history for China-based espionage threat actors, and there is no obvious reason why they would pursue this strategy.
Another possibility is that the ransomware was used to cover up evidence of the intrusion or act as a decoy to draw attention away from the true nature of the espionage attacks. However, the ransomware deployment was not very effective at covering up the tools used in the intrusion, particularly those linking it back to prior espionage attacks. Secondly, the ransomware target was not a strategically significant organization and was something of an outlier compared to the espionage targets. It seems unusual that the attacker would go to such lengths to cover up the nature of their campaign. Finally, the attacker seemed to be serious about collecting a ransom from the victim and appeared to have spent time corresponding with them. This usually wouldn’t be the case if the ransomware attack was simply a diversion.
The most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employer’s toolkit.
Tuesday’s report from Mandiant also noted the use of state-sponsored malware by crime groups. Mandiant researchers also reported observing what they believe are Dual Motive groups that seek both financial gain and access for espionage.
