U.S. ransomware attacks linked to Chinese hackers - Action News
Home WebMail Tuesday, November 26, 2024, 07:49 PM | Calgary | -7.0°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Science

U.S. ransomware attacks linked to Chinese hackers

Hackers using tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the booming cybercrime industry of ransomware, four security firms that investigated attacks on U.S. companies said.

Security researchers suspect Chinese hackers are short of work due to government pact with U.S.

The level of sophistication in at least a half dozen ransomware cases over the last three months is akin to those used in Chinese state-sponsored attacks, four internet security firms told Reuters. (Associated Press)

Hackers using tactics and toolspreviously associated with Chinese government-supported computernetwork intrusions have joined the booming cybercrime industryofransomware, four security firms that investigated attacks onU.S. companies said.

Ransomware, which involves encrypting a target's computerfiles and then demanding payment to unlock them, hasgenerallybeen considered the domain of run-of-the-mill cyber criminals.

But executives of the security firms have seen a level ofsophistication in at least a half dozen cases over the last
three months akin to those used in state-sponsored attacks,including techniques to gain entry and move around thenetworks,as well as the software used to manage intrusions.

"It is obviously a group of skilled operators that havesome amount of experience conducting intrusions," said Phil
Burdette, who heads an incident response team at DellSecureWorks.

Burdettesaid his team was called in on three cases in asmany months where hackers spreadransomwareafter exploitingknown vulnerabilities in application servers. From there, thehackers tricked more than 100 computers in each of the companiesinto installing the malicious programs.

The victims included a transportation company and atechnology firm that had 30 per cent of its machines captured.

Security firms Attack Research, InGuardians and G-CPartners, said they had separately investigated three othersimilar ransomware attacks since December.

Chinese Foreign Ministry spokesman Lu Kang, said China did not have time to respond to what he called 'rumours and speculation' about the country's online activities. (Kim Kyung-Hoon/Reuters)

Although they cannot be positive, the companies concludedthat all were the work of a known advanced threat group fromChina, Attack Research Chief Executive Val Smith told Reuters.

The ransomware attacks have not previously been reported.None of the companies that were victims of the hackers agreed tobe identified publicly.

China calls allegations 'rumours and speculation'

Asked about the allegations, China's Foreign Ministry saidon Tuesday that if they were made with a "serious attitude" andreliable proof, China would treat the matter seriously.

But ministry spokesman Lu Kang said China did not have timeto respond to what he called "rumours and speculation" about thecountry's online activities.

The security companies investigating the advanced ransomwareintrusions have various theories about what is behind them, butthey do not have proof and they have not come to any firmconclusions.

Ransomware operators generally set modest prices that many victims are willing to pay, and they usually do decrypt the files, which ensures that victims will post positively online about the transaction, making the next victims who research their predicament more willing to pay. (Ryan Remiorz/Canadian Press)

Most of the theories flow from the possibility that theChinese government has reduced its support for economic
espionage, which it pledged to oppose in an agreement with theUnited States late last year. Some U.S. companies have reported adecline in Chinese hacking since the agreement.

Smith said some government hackers or contractors could beout of work or with reduced work and looking to supplement theirincome via ransomware.

It is also possible, Burdette said, that companies which hadbeen penetrated for trade secrets or other reasons in the pastwere now being abandoned as China backs away, and that spies ortheir associates were taking as much as they could on the wayout. In one of Dell's cases, the means of access by the teamspreading ransomware was established in 2013.

The cyber security experts could not completely rule outmore prosaic explanations, such as the possibility that ordinarycriminals had improved their skills and bought tools previouslyused only by governments.

Dell said that some of the malicious software had beenassociated by other security firms with a group dubbed Codoso,which has a record of years of attacks of interest to theChinese government, including those on U.S. defense companiesand sites that draw Chinese minorities.

Payment in bitcoin

Ransomware has been around for years, spread by some of thesame people that previously installed fake antivirus programs onhome computers and badgered the victims into paying to removeimaginary threats.

In the past two years, better encryption techniques haveoften made it impossible for victims to regain access to their
files without cooperation from the hackers. Many ransomwarepayments are made in the virtual currency Bitcoin and remainsecret, but institutions including a Los Angeles hospital have gone public about ransomware attacks.

Ransomware operators generally set modest prices that manyvictims are willing to pay, and they usually do decrypt thefiles, which ensures that victims will post positively onlineabout the transaction, making the next victims who researchtheir predicament more willing to pay.

Security software companies have warned that because theaggregate payoffs for ransomware gangs are increasing, morecriminals will shift to it from credit card theft and othercomplicated scams.

The involvement of more sophisticated hackers also promisesto intensify the threat.

InGuardians CEO Jimmy Alderson said one of the cases hiscompany investigated appeared to have been launched with onlinecredentials stolen six months earlier in a suspected espionagehack of the sort typically called an Advanced Persistent Threat,or APT.

"The tactics of getting access to these networks are APTtactics, but instead of going further in to sit and listen
stealthily, they are used for smash-and-grab," Alderson said.