Global Hackers Tied To Espionage: Chinas Secret Cyber Network Exposed

Hackers motivated by financial gain have joined forces with espionage groups, blurring the lines between cybercrime and state-sponsored activities. Researchers at Symantec have uncovered a mysterious collaboration between the RA World ransomware group and a China-linked threat group, using a custom backdoor variant known as PlugX.

The PlugX variant has been linked to several high-profile espionage operations by Chinese groups, including Fireant, Mustang Panda, and Earth Preta. The toolset’s similarities to Thor PlugX, identified by Palo Alto Networks, have raised questions about the nature of this collaboration.

Symantec researchers suggest that the attacker may be motivated by a desire to generate revenue alongside their espionage activities. While not unprecedented for North Korean threat actors to engage in financially motivated attacks, China-based espionage groups have historically pursued more traditional espionage strategies.

The RA World ransomware group’s decision to use PlugX has led some to speculate about the motivations behind this collaboration. One theory is that the attacker may be attempting to monetize their toolkit, potentially using it to generate revenue alongside their espionage activities.

In August, the attacker compromised government institutions in Southeast Asia and Eastern Europe, further fueling speculation about the nature of this collaboration. The use of PlugX has also been linked to attacks on telecoms operators in the region, suggesting a coordinated effort between financial and espionage actors.

Palo Alto Networks has reported links between RA World ransomware and Bronze Starlight (aka Emperor Dragonfly), a China-based actor known for deploying different ransomware payloads. This involvement raises questions about the extent to which state-sponsored malware is being used by crime groups, highlighting a complex web of motivations and alliances.

The use of state-sponsored malware by crime groups has become increasingly common, with Dual Motive groups seeking both financial gain and access for espionage. As Mandiant researchers note, this phenomenon underscores the blurred lines between legitimate and illicit activities in the world of cybercrime.

The RA World ransomware group’s decision to collaborate with a China-linked threat group serves as a stark reminder that the motivations behind cybercrime are often more complex than they initially seem. The collaboration has raised questions about the nature of this relationship, highlighting a complex web of alliances between financial and espionage actors.