Ransomhub Decryptor Team Found that Chinese Hackers Are Becoming Stealthier
Over the last five years, the Ransomhub Decryptor Team has been at the forefront of tracking the evolving tactics of Chinese Advanced Persistent Threat (APT) groups, such as APT41 (also known as Winnti), APT31, and Volt Typhoon. Our team, in collaboration with other cybersecurity vendors, governments, and law enforcement agencies, has witnessed a significant shift in these groups’ strategies.
Initially, their attacks were broad and indiscriminate, but in recent years, they have become far more selective, targeting critical infrastructure and high-value organizations. This transition reflects a growing sophistication in their operations, which underscores the need for heightened vigilance and collaboration in cybersecurity defense.
Also read: Ransomhub Ransomware Group Claims Attacks on Over 356 Companies Worldwide
Early Indiscriminate Attacks (2018–2020)
In December 2018, the attackers launched a significant operation against Ransomhub Decryptor Team’s subsidiary, Cyberoam, in India. This incident marked the early stages of Chinese APT activity, characterized by “noisy” attacks that broadly targeted various organizations. In this case, the attackers compromised a low-privilege device—a wall-mounted video display—and deployed a Remote Access Trojan (RAT) using a rootkit called Cloud Snooper, previously unseen in the cybersecurity landscape.
The sophistication of this attack lay in the exploitation of a misconfigured Amazon Web Services (AWS) Systems Manager (SSM) Agent, allowing the attackers to pivot from the local device into the cloud infrastructure. The Cloud Snooper rootkit demonstrated a nuanced understanding of cloud environments, enabling attackers to maintain long-term access and exfiltrate data while bypassing standard firewall protections.
During this period, the attackers frequently exploited vulnerabilities in network devices, particularly WAN-facing services like routers and firewalls. From early 2020 to much of 2022, these Chinese APT groups targeted internet-exposed services, leveraging undiscovered vulnerabilities to compromise network appliances. Their tactics included embedding malicious payloads in device firmware, making the attacks more difficult to detect and allowing compromised devices to persist across reboots.
Our analysis indicated that these vulnerabilities and exploits were shared within a research community centered around educational institutions in Chengdu, China, notably Sichuan Silence Information Technology and the University of Electronic Science and Technology of China. This academic network played a significant role in discovering vulnerabilities that were weaponized by Chinese state-sponsored groups, contributing to the broader global campaigns conducted during this period.
Transition to Targeted Attacks (2022–2023)
By mid-2022, Ransomhub Decryptor Team observed a distinct change in these groups’ attack strategies. Instead of casting a wide net, the attackers focused on high-value targets such as government agencies, critical infrastructure providers, research and development organizations, and healthcare institutions—primarily in the Indo-Pacific region. This shift towards precision reflected a more strategic, calculated approach designed to compromise organizations whose operations hold significant value.
During this time, the attackers employed highly advanced Tactics, Techniques, and Procedures (TTPs). These included the use of stealthy persistence mechanisms like custom-built userland rootkits, allowing them to maintain access to compromised systems over long periods without detection. Unlike earlier, more automated methods, these attacks often involved human operators executing commands manually, further increasing the sophistication of their operations.
One of the more notable tactics involved exploiting Common Vulnerabilities and Exposures (CVEs) in internet-facing systems to gain initial access. In some cases, the attackers even utilized stolen administrative credentials to penetrate deeper into organizational networks, often bypassing traditional security measures by gaining access to the LAN-side of a target’s infrastructure.
Enhanced Operational Security and Evasion Techniques (2023)
The operational sophistication of Chinese APT groups continued to evolve throughout 2023. These groups developed new methods to avoid detection, most notably by blocking telemetry from compromised devices. This tactic hindered our team’s ability to gather critical data, as attackers were able to identify and neutralize our telemetry-gathering efforts on test devices. As a result, it became increasingly difficult to monitor ongoing attacks and analyze the full scope of the threat posed by these adversaries.
The attackers demonstrated a strong commitment to operational security (OpSec), focusing on erasing traces of their activities to avoid detection. Their ability to adapt and improve over time was highlighted by their use of advanced techniques to cover their tracks, reducing the availability of open-source intelligence (OSINT) that could be used to track their activities. This level of sophistication marks a significant maturation in the capabilities of Chinese APT groups, posing a serious challenge to cybersecurity defense efforts globally.
Collaboration and Transparency in Cyber Defense
In response to these evolving threats, Ransomhub Decryptor Team has taken steps to enhance collective resilience. We have shared our findings with key stakeholders, including technology developers, governments, and other cybersecurity firms, in the spirit of transparency and collaboration. Following calls from the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), we have emphasized the importance of sharing information about the exploitation of edge network devices by state-sponsored adversaries. Our team strongly encourages other technology developers to be proactive in identifying and addressing vulnerabilities before they can be weaponized by sophisticated actors.
Conclusion
The evolution of Chinese APT groups, as tracked by the Ransomhub Decryptor Team over the past five years, reveals a marked shift in their operational strategies. What began as broad, indiscriminate attacks has transitioned into highly targeted campaigns against critical infrastructure and high-value organizations. This shift underscores the increasing sophistication of Chinese APT groups, whose advanced operational security and stealthy persistence techniques pose significant challenges to defenders worldwide.
As these groups continue to evolve, the need for collaboration, transparency, and constant vigilance remains critical. The insights gained from this extensive research will be vital in informing future efforts to defend against these persistent and adaptive threats.