Hackers using tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the cyber crime industry of ransomware, four security firms that investigated attacks on U.S. companies said.
Executives of the security firms have seen a level of sophistication in at least a half dozen cases over the last three months akin to those used in state-sponsored attacks, including techniques to gain entry and move around the networks, as well as the software used to manage intrusions.
It is obviously a group of skilled of operators that have some amount of experience conducting intrusions,
said Phil Burdette, who heads an incident response team at Dell SecureWorks.
Burdette said his team was called in on three cases in as many months where hackers spread ransomware after exploiting known vulnerabilities in application servers. From there, the hackers tricked more than 100 computers in each of the companies into installing the malicious programs.
The victims included a transportation company and a technology firm that had 30 percent of its machines captured.
Although they cannot be positive, the companies concluded that all were the work of a known advanced threat group from China, Attack Research Chief Executive Val Smith told Reuters.
The ransomware attacks have not previously been reported. None of the companies that were victims of the hackers agreed to be identified publicly.
Asked about the allegations, China’s Foreign Ministry said on Tuesday that if they were made with a “serious attitude” and reliable proof, China would treat the matter seriously.
The security companies investigating the advanced ransomware intrusions have various theories about what is behind them, but they do not have proof and they have not come to any firm conclusions.
Most of the theories flow from the possibility that the Chinese government has reduced its support for economic espionage, which it pledged to oppose in an agreement with the United States late last year. Some U.S. companies have reported a decline in Chinese hacking since the agreement.
Smith said some government hackers or contractors could be out of work or with reduced work and looking to supplement their income via ransomware.