A China-based advanced persistent threat (APT) actor, active since early 2021, appears to be using ransomware and double-extortion attacks as camouflage for systematic, government-sponsored cyberespionage and intellectual property theft.

In all of the attacks, the threat actor has used a malware loader called the HUI Loader — associated exclusively with China-backed groups — to load Cobalt Strike Beacon and then deploy ransomware on compromised hosts. Researchers at Secureworks who are tracking the group as “Bronze Starlight” say it’s a tactic they have not observed other threat actors use.

Secureworks also says it has identified organizations in multiple countries that the adversary appears to have compromised. The group’s US-based victims include a pharmaceutical company, a law firm, and a media company with offices in Hong Kong and China. Others include electronic component designers and manufacturers in Japan and Lithuania, a pharmaceutical company in Brazil, and the aerospace and defense division of an Indian conglomerate. Some three-quarters of Bronze Starlight’s victims so far are organizations that have typically been of interest to government-sponsored Chinese cyber-espionage groups.

Cycling Through Ransomware Families

Since it began operations in 2021, Bronze Starlight has used at least five different ransomware tools in its attacks: LockFile, AtomSilo, Rook, Night Sky, and Pandora. Secureworks’ analysis shows that the threat actor used a traditional ransomware model with LockFile, where it encrypted data on a victim network and demanded a ransom for the decryption key. But it switched to a double-extortion model with each of the other ransomware families. In these attacks Bronze Starlight attempted to extort victims by both encrypting their sensitive data and threatening to leak it publicly. Secureworks identified data belonging to at least 21 companies posted on leak sites associated with AtomSilo, Rook, Night Sky, and Pandora.

While Bronze Starlight appears on the surface to be financially motivated, its real mission appears to be cyberespionage and intellectual property theft in support of Chinese economic objectives, says Marc Burnard, senior consultant information security research at Secureworks. The US government last year formally accused China of using threat groups such as Bronze Starlight in state-sponsored cyber-espionage campaigns.

“The victimology, tooling, and rapid cycling through ransomware families suggest that Bronze Starlight’s intent may not be financial gain,” he says. Instead, it’s possible that the threat actor is using ransomware and double extortion as a cover to steal data from organizations of interest to China and destroy evidence of its activity.

Bronze Starlight has consistently targeted only a small number of victims over short periods of time with each ransomware family — something that threat groups don’t often do because of the overhead associated with developing and deploying new ransomware tools. In Bronze Starlight’s case, the threat actor appears to have employed the tactic to prevent drawing too much attention from security researchers, Secureworks said.

The Chinese Connection

Burnard says the threat actor’s use of the HUI Loader along with a relatively rare version of PlugX, a remote access Trojan linked exclusively to China-backed threat groups, is another sign that there’s more to Bronze Starlight than its ransomware activity might suggest.

“We believe the HUI Loader is a tool unique to Chinese state-sponsored threat groups,” Burnard says. It is not widely used, but where it has been used, the activity has been attributed to other likely Chinese threat group activity, such as one by a group dubbed Bronze Riverside that is focused on stealing IP from Japanese companies. 

“In terms of the use of the HUI Loader to load Cobalt Strike Beacons, this is one key characteristic of the Bronze Starlight activity that connects the broader campaign and five ransomware families together,” Burnard says.

Another sign that Bronze Starlight is more than just a ransomware operation involves a breach that Secureworks investigated earlier this year, where Bronze Starlight broke into a server at an organization that had previously already been compromised by another China-sponsored threat operation called Bronze University. In this incident, though, Bronze Starlight deployed the HUI Loader with Cobalt Strike Beacon on the compromised server, but it did not deploy any ransomware. 

“Again, this raises an interesting question around links between Bronze Starlight and state-sponsored threat groups in China,” Burnard says.

There’s also evidence that Bronze Starlight is learning from its intrusion activity and improving the HUI Loader’s capabilities, he adds. The version of the loader that the group used in its initial intrusions, for instance, were merely designed to load, decrypt, and execute a payload. But an updated version of the tool that Secureworks came across while responding to a January 2022 incident revealed several improvements. 

“The updated version comes with detection evasion techniques, such as disabling Windows Event Tracing for Windows [ETW] and Antimalware Scan Interface [AMSI] and Windows API hooking,” Burnard notes. “This indicates the HUI Loader is actively being developed and upgraded.”

Secureworks’ investigation shows that Bronze Starlight primarily compromises Internet-facing servers on victim organizations by exploiting known vulnerabilities. So as part of a multilayered approach to network security, network defenders should ensure that Internet-facing servers are patched in a timely manner, Burnard says. 

“While the focus is often on zero-day exploitation, we often see threat groups like Bronze Starlight exploit vulnerabilities that already have a patch available," he says.