Ransomware attacks have surged in recent years, causing significant financial and operational damage to organizations worldwide. However, not all ransomware campaigns are driven purely by financial gain. The case of the Chinese-based threat actor known as Bronze Starlight, or DEV-0401, reveals a more insidious use of ransomware—as a smokescreen for cyber espionage. 

The Emergence of Bronze Starlight

Bronze Starlight, active since early 2021, has gained notoriety for its sophisticated cyber attacks. Leveraging a custom DLL loader called HUI Loader, the group deploys Cobalt Strike and PlugX payloads to establish command and control over targeted systems. Over the past year, Bronze Starlight has utilized five ransomware families—LockFile, AtomSilo, Rook, Night Sky, and Pandora—and has exposed 21 victims on name-and-shame leak sites as of mid-April.

Ransomware as a Smokescreen

While ransomware typically aims to extort money from victims, Bronze Starlight’s campaigns appear to have a different end goal. According to cybersecurity researchers, the group uses ransomware to conceal its true objective: stealing intellectual property. This tactic serves to distract incident responders, focusing their efforts on recovery rather than investigating the underlying espionage activities.

Targeted Industries and Geographic Focus

Bronze Starlight’s victimology offers clues to its espionage motives. Researchers estimate that 75% of the known victims would be of interest to Chinese government-sponsored groups. The targets span various industries and geographic locations, including:

  • Pharmaceutical companies in Brazil and the U.S.
  • Electronic component designers and manufacturers in Lithuania and Japan
  • U.S. law firms
  • U.S.-based media organizations with offices in China and Hong Kong

Short-Lived Ransomware Campaigns

Unlike conventional financially motivated ransomware operations, Bronze Starlight’s ransomware families have brief lifespans. Each family targets a small number of victims over a short period before ceasing operations. This pattern, combined with the group’s focus on exploiting known vulnerabilities in network perimeter devices, underscores the strategic and selective nature of their attacks.

Code Overlap and Unique Strains

Bronze Starlight has developed distinct ransomware strains. LockFile and AtomSilo share a codebase, while Rook, Night Sky, and Pandora are based on the Babuk ransomware source code, leaked in September 2021. These ransomware families are unique to Bronze Starlight and exhibit significant similarities in their campaigns, including the use of the HUI loader to deploy Cobalt Strike beacons.

Collaboration Among Chinese-Based Threat Actors

Evidence suggests that Bronze Starlight collaborates with other Chinese-based threat actors. For instance, in a January incident response, researchers observed Bronze University, another Chinese threat group, active on the same network as Bronze Starlight. This collaboration points to a broader strategy of resource and information sharing among Chinese espionage attackers, further blurring the lines between financially motivated and state-sponsored cyber activities.

Implications for Cybersecurity

The operations of Bronze Starlight highlight the evolving complexity of ransomware attacks. Organizations must recognize that ransomware can serve multiple purposes beyond extortion, including acting as a cover for espionage. To mitigate such threats, businesses should:

Bronze Starlight’s use of ransomware as a smokescreen for espionage underscores the multifaceted nature of modern cyber threats. By understanding the broader motives behind these attacks, we can better protect our organizations from both financial and intellectual property losses.

Alvaka is available 24×7 to assist you with any of your cybersecurity needs. Fill out the form on this page or call us at (949)428-5000!

Latest Cybersecurity Related Blogs

Maze ransomware recovery steps. At the center of the image is a 3D maze structure in light blue tones, symbolizing the complex, entangled nature of Maze ransomware. Scattered within the maze are red digital locks and other security icons, representing the encryption and obstacles posed by the ransomware. In the foreground, there’s a prominent red warning triangle with a white exclamation point inside, symbolizing a critical alert or threat. To the right of the maze is a large padlock in red and black, suggesting the idea of locked or encrypted data. The background is filled with rows of binary code (ones and zeros) in dark red and black tones, creating an ominous, digital atmosphere. The colors and abstract maze imagery evoke a sense of danger, encryption, and the complexity involved in navigating through a ransomware attack.
LockBit ransomware recovery. The image shows a digital graphic with a dark background, featuring layers of translucent blue and green warning symbols (triangles with exclamation marks). These symbols appear to overlap with each other, suggesting multiple alerts or warnings. Behind the warning icons, there are binary code sequences (ones and zeros) scattered across the image, giving it a techy, cybersecurity-related vibe. The colors range from shades of blue to red, adding to the impression of a data or security breach alert.
Data breach recovery planning. This image depicts a digitally rendered concept of a circuit board with various cybersecurity symbols. It features a complex network of electronic traces and nodes, simulating a computer motherboard. Prominently displayed are icons representing a globe, a padlock, and binary code (0s and 1s), all symbolizing different aspects of digital security. The image has a high-tech, futuristic feel, with a sharp focus on the central area gradually blurring towards the edges, enhancing the depth and detail of the circuitry.
illustration depicting ransomware recovery case study, featuring a diverse team of cybersecurity experts.
Ransomware Rescue
Contact Alvaka