Tim Culpan

Beware the Chinese Ransomware Attack With No Ransom

A breach by Chinese hackers of almost a dozen targets in Taiwan looked, on the surface, like just another ransomware attack: infiltrate a network, encrypt a ton of files, lock the owners out of their own systems, and wait to be paid. But this one was different for what it didn’t contain, and portends a type of threat that could stymie attempts by corporate and government leaders to make their computer systems more secure.

Semiconductor maker Powertech Technology Inc., communications provider Chunghwa Telecom Co., plastics conglomerate Formosa Petrochemical Corp. and state-run petroleum company CPC Corp. were among those hit in May 2020 by the Chinese Winnti group. Seven members were indicted by the US last year for a series of attacks that allegedly affected more than 100 high-tech and online gaming companies globally.

Instead of just finding a way into their targets and planting the malicious ColdLock software, which would later encrypt files, the attackers first prioritized the installation of backdoor code that would give them continued access to the chosen computers. That sequence of events was among the clues researchers at CyCraft Technology Corp. in Taipei used to subsequently conclude that these weren’t your run-of-the-mill, profit-seeking hackers.

CyCraft researched the breach on behalf of some victims, whom it declined to name, and subsequently identified the perpetrators as a China-based group. Taiwan’s Investigation Bureau and the US Federal Bureau of Investigation have also attributed the attack to Chinese actors. Beijing regularly denies hacking, saying that it firmly opposes and combats cyber attacks.

The shift in tactics could make one of the world’s most prolific cyber armies even more potent. By mixing its own strategy of stealth and espionage with the encryption and disruption techniques most-often deployed by Russians, Chinese state-backed entities could start deploying a new approach to distract and confuse its enemies while simultaneously stealing secrets or planting eavesdropping software.

The virtual meeting between US and Chinese leaders this week may ultimately help ease tensions. But that’s unlikely to bring a cyber ceasefire or see Beijing back away from continued network attacks against Taiwan. Last year’s hack needs to be viewed as a hint of what rivals such as the US, UK, Canada and Australia can come to expect.

In a sign of patience and focus, the attackers appear to have waited months between successfully infiltrating their targets in Taiwan and deploying the code that would encrypt the victims’ files. By contrast, in the Colonial Pipeline Co. attack this year, there was a lag of about one week between the time a virtual private network was breached to the moment an employee saw a ransom note demanding payment in cryptocurrency. Crucially in the Taiwan campaign, there was no such note. The attackers didn’t leave payment or contact details, the CyCraft team noted.

“This was not a ransom. For this group, they’re not financially motivated,” said CK Chen, a senior cybersecurity researcher at CyCraft who investigated the incident. “I think they have two reasons: hide any traces to remove evidence of their intrusion, and also some political reasons because the attack was launched one week before Taiwan’s presidential inauguration.” Tsai Ing-wen was sworn in to her second term in May 2020.

For more than a decade, Chinese hackers have waged a persistent cyber offensive against Taiwanese government, non-government and corporate targets. Taiwan also happens to be home to some of the electronics, semiconductor and military technology that China desperately wants to get its hands on.

In some cases, the goal has been to steal sensitive security intelligence; in others, theft of intellectual property and commercial secrets. But hackers generally do it quietly, maintaining stealth so victims aren’t alerted. This sustained threat has given birth to a growing ecosystem of cybersecurity teams in Taiwan that defend the frontlines in the battle against Chinese hackers, many of whom work for the state as outlined by the Justice Department in a separate indictment in July.

They tend not to launch ransomware against their victims, though it’s not unheard of. Hacking for profit is more often perpetrated by Russian groups driven purely by financial incentives. The advent of cryptocurrency, and easy access to encryption software, makes the hack-lock-ransom playbook particularly lucrative. For the Chinese, though, the motive tends to be espionage or security.

Of particular relevance to computer systems globally is the use of ransomware as a tool of distraction. With security teams on high alert against such attacks, which can cripple critical infrastructure and hobble supply chains — a Brazilian meat processor was shut down earlier this year — focus can be drawn away from an altogether different motive.

Last year’s Winnti attack appeared to have multiple goals, none of which were obvious upon first glance: cause havoc, plant backdoors, and prepare to steal information. As victims mopped up and reset their systems, researchers at CyCraft found malicious code that hadn’t been caught earlier — including malware that remained connected to servers controlled by the hackers.

“I don’t think they were expecting that to be caught by us,” said Chad Duffy, the company’s director of cloud engineering.

The hackers knew that the ransomware would be found. They barely tried to cover it up — but that wasn’t the actual goal of the operation. Instead it was a smokescreen for the mission’s true purpose, to get persistent long-term access to the systems of some of Taiwan’s biggest institutions. The same tactic can be expected against other nations.

Given that profit isn’t the major aim, the deployment of encryption attacks such as ransomware from China-based teams ought to be a red flag for security teams worldwide. The intruders may look like they’re ransacking the shop, but it’s just as likely they’re planting a bug while you’re not looking.