Ransomware attacks have surged in recent years, causing significant financial and operational damage to organizations worldwide. However, not all ransomware campaigns are driven purely by financial gain. The case of the Chinese-based threat actor known as Bronze Starlight, or DEV-0401, reveals a more insidious use of ransomware—as a smokescreen for cyber espionage. 

The Emergence of Bronze Starlight

Bronze Starlight, active since early 2021, has gained notoriety for its sophisticated cyber attacks. Leveraging a custom DLL loader called HUI Loader, the group deploys Cobalt Strike and PlugX payloads to establish command and control over targeted systems. Over the past year, Bronze Starlight has utilized five ransomware families—LockFile, AtomSilo, Rook, Night Sky, and Pandora—and has exposed 21 victims on name-and-shame leak sites as of mid-April.

Ransomware as a Smokescreen

While ransomware typically aims to extort money from victims, Bronze Starlight’s campaigns appear to have a different end goal. According to cybersecurity researchers, the group uses ransomware to conceal its true objective: stealing intellectual property. This tactic serves to distract incident responders, focusing their efforts on recovery rather than investigating the underlying espionage activities.

Targeted Industries and Geographic Focus

Bronze Starlight’s victimology offers clues to its espionage motives. Researchers estimate that 75% of the known victims would be of interest to Chinese government-sponsored groups. The targets span various industries and geographic locations, including:

  • Pharmaceutical companies in Brazil and the U.S.
  • Electronic component designers and manufacturers in Lithuania and Japan
  • U.S. law firms
  • U.S.-based media organizations with offices in China and Hong Kong

Short-Lived Ransomware Campaigns

Unlike conventional financially motivated ransomware operations, Bronze Starlight’s ransomware families have brief lifespans. Each family targets a small number of victims over a short period before ceasing operations. This pattern, combined with the group’s focus on exploiting known vulnerabilities in network perimeter devices, underscores the strategic and selective nature of their attacks.

Code Overlap and Unique Strains

Bronze Starlight has developed distinct ransomware strains. LockFile and AtomSilo share a codebase, while Rook, Night Sky, and Pandora are based on the Babuk ransomware source code, leaked in September 2021. These ransomware families are unique to Bronze Starlight and exhibit significant similarities in their campaigns, including the use of the HUI loader to deploy Cobalt Strike beacons.

Collaboration Among Chinese-Based Threat Actors

Evidence suggests that Bronze Starlight collaborates with other Chinese-based threat actors. For instance, in a January incident response, researchers observed Bronze University, another Chinese threat group, active on the same network as Bronze Starlight. This collaboration points to a broader strategy of resource and information sharing among Chinese espionage attackers, further blurring the lines between financially motivated and state-sponsored cyber activities.

Implications for Cybersecurity

The operations of Bronze Starlight highlight the evolving complexity of ransomware attacks. Organizations must recognize that ransomware can serve multiple purposes beyond extortion, including acting as a cover for espionage. To mitigate such threats, businesses should:

Bronze Starlight’s use of ransomware as a smokescreen for espionage underscores the multifaceted nature of modern cyber threats. By understanding the broader motives behind these attacks, we can better protect our organizations from both financial and intellectual property losses.

Alvaka is available 24×7 to assist you with any of your cybersecurity needs. Fill out the form on this page or call us at (949)428-5000!

Latest Cybersecurity Related Blogs

Cybersecurity insurance for ransomware recovery. onceptual image that combines themes of insurance, cybersecurity, law, order, and protection. It features symbols like a glowing shield, scales of justice, and digital patterns, set against a backdrop evoking authority and security.
Immediate steps after ransomware attack. The image shows a close-up of a laptop keyboard with digital graphics overlaying the scene. In the center, there is a prominent red padlock icon that appears unlocked, symbolizing a security breach or vulnerability. Surrounding it are several smaller blue padlock icons in the locked position, representing secure elements. The red padlock is highlighted with brackets, drawing attention to the breach. The overall color scheme and visual effects suggest a focus on cybersecurity, possibly indicating an attempted or successful hack on a secure system.
Cybersecurity resilience planning. The image shows a person holding a smartphone displaying a digital shield icon with a check mark, indicating security verification. The phone is positioned in front of a laptop, which also shows similar cybersecurity elements, including a login screen with fields for username and password. Both devices emphasize cybersecurity themes, with icons symbolizing authentication and data protection. The background includes a blurred workspace and a small plant, giving a professional and secure feel to the setup, likely representing two-factor authentication or secure login practices.
Comprehensive ransomware recovery. The image shows a person typing on a laptop, with a digital overlay that emphasizes cybersecurity and login protection. A semi-transparent shield icon with a blue padlock is prominently displayed on the left side, symbolizing secure access. To the right of the shield, there is a digital login form with fields for "Username" and "Password," along with a "Login" button. Additional icons and document symbols are visible, representing data files and digital security elements. The background is dimmed, creating a focused, high-tech atmosphere. The image suggests themes of online security, user authentication, and data protection.
Ransomware Rescue
Contact Alvaka