HQ/EMEAFind out how we can help your business
For at least three years, ChamelGang APT, also known as CamoFei, has been employing ransomware to hide its massive cyber-espionage operations. It seems likely that China is behind this advanced persistent threat (APT) group.
Researchers have discovered that ChamelGang has been active recently, focusing on crucial infrastructure institutions in East Asia and India, such as the All India Institute of Medical Sciences (AIIMS) and an Indian subcontinent aviation organisation. The group has previously targeted the public and commercial sectors in the US, Taiwan, Japan, and Russia.
ChamelGang APT is distinctive through its use of the CatB ransomware tool to cover up its espionage activities.
By using this cover up technique, the gang is able to hide its actual goals and get rid of proof that any data theft occurred. This strategy can have major strategic ramifications, particularly in attacks on government or vital infrastructure, as it gives adversarial nations plausible deniability by attributing operations to lone cybercriminals rather than state-sponsored attackers.
ChamelGang is not the only cyber espionage organisation with ties to China to use these strategies. APT41, which is an umbrella group for smaller subgroups, and Bronze Starlight, which targets organisations in the US and other nations, have both employed similar tactics. When remaining hidden is no longer a top concern at the end of a mission, ChamelGang typically releases ransomware. This strategy highlights the necessity for organisations to take these factors into account when responding to ransomware attacks since it facilitates the exfiltration of intelligence-relevant data while mitigating responsibility.
Historical data shows that ChamelGang APT has been operational since at least 2019. The gang uses a range of malware tools, including the CatB ransomware, DoorMe, IISBeacon, MGDrive, and Cobalt Strike. Their primary area of interest has been the government sector, but they have also shown interest in the high-tech, energy, water, telecommunications, healthcare, and other sectors.
According to recent estimates, geopolitical conflicts, regional rivalries, and a race for technological and economic supremacy are the driving forces behind ChamelGang’s current focus on East Asia and the Indian subcontinent. After earlier phases using tools like BeaconLoader and Cobalt Strike, the organisation used CatB ransomware in its 2022 attacks against AIIMS in India and the Brazilian government.
ChamelGang’s double goal of combining financial gain with espionage exposes a complicated threat environment. Ransom collection has historically been incidental when threat actors use ransomware to cause disruptions. But occasionally, the desire for ransom payments might be a front for their actual goals. This complex plan highlights the necessity of increased awareness and comprehensive reaction plans in order to handle the complex nature of modern cyber threats.
