Espionage actors linked to China may be diversifying their operations, as new evidence points to the use of espionage tools in a recent ransomware attack against a South Asian software and services company.
Symantec Threat Intelligence reports that the attack, involving the RA World ransomware, stands out due to the distinct toolset typically associated with China-based espionage groups, raising questions about the motivations behind this cross-over from traditional espionage to financially driven cybercrime.
Espionage Toolsets Deployed
In late 2024, a cyberattack targeting an Asian software company saw the deployment of tools historically used by China-linked espionage actors. These tools, usually reserved for persistent espionage operations, were used in a ransomware attack—a unusual occurrence for espionage groups whose main motivation has been information gathering not financial gain.
The tools included a Toshiba executable, toshdpdb.exe, previously observed in espionage campaigns, which was used to sideload a malicious Dynamic Link Library (DLL) called toshdpapi.dll. This DLL acted as a loader for an encrypted payload located in the file TosHdp.dat.
Analysis discovered that the payload was a variant of PlugX (also known as Korplug), a custom backdoor exclusively associated with China-linked cyber actors. This specific variant had previously been used in various targeted espionage attacks, including breaches of governments and telecom operators across Europe and Southeast Asia.
Prior Espionage Campaigns: A Pattern of Intrusions
This toolset was part of a broader espionage campaign that began earlier last year. In July, threat actors compromised a southeastern European government ministry using similar tactics, including the deployment of a Toshiba executable and a PlugX variant.
Additional incidents came hot on its heels in August and September, with government ministries in multiple regions falling victim to these attacks. The attackers seemed mainly focused on maintaining persistent access to these networks through backdoors and other long-term presence mechanisms.
Ransomware Campaign: A New Development
In November 2024, the same toolset was reportedly used in a ransomware attack on a medium-sized South Asian company. The attacker leveraged a known vulnerability in Palo Alto’s PAN-OS firewall (CVE-2024-0012) to gain initial access, then escalated privileges and moved laterally through the network. Administrative credentials were stolen from the company’s intranet, followed by the theft of Amazon S3 cloud credentials from its Veeam server.
The bad actor then deployed the RA World ransomware, demanding a $2 million ransom (reduced to $1 million if the victim ponied up within three days). The use of ransomware in this context is not only unusual, it also indicates a shift in tactics for an actor historically involved in espionage.
The targeted entitiy was not of particularly strategic value, suggesting that the malefactor may have been more focused on financial gain than getting their hands on trade secrets or other espionage objectives.
Linking the Ransomware to Other China-based Actors
Interestingly, the RA World ransomware attack shows possible ties to Bronze Starlight (also known as Emperor Dragonfly), a China-based group previously involved in deploying ransomware like LockFile, AtomSilo, and NightSky. Tools such as the proxy tool NPS, which was created by a China-based developer and has been previously used by Bronze Starlight, were also found in the attack.
While espionage groups generally don’t carry out financially motivated cybercrime, the potential link between this group and RA World raises several questions. One theory is that the ransomware may serve as a diversion, possibly to cover up the true nature of the espionage operation. However, the lack of sophistication in covering up the espionage tools or targeting a non-strategic company casts doubt on this hypothesis.
Personal Gain or Employer Toolkit?
The most plausible explanation, according to cybersecurity experts, is that the actor behind the attack is an individual or small group seeking to capitalize financially on the side, using tools already at their disposal from their espionage operations. This wouldn’t be a first—similar behavior has been seen in other threat actor groups, where individuals or small teams branch into cybercrime to monetize their skills and tools.
Implications and Next Steps
This development suggests an evolution in the tactics used by China-linked espionage groups, blurring the lines between spying and lining pockets. Entities are advised to be vigilant against espionage and ransomware threats, particularly those targeting software vulnerabilities such as the one exploited in this attack.
As always, robust cybersecurity practices—such as patching known vulnerabilities, using multi-factor authentication, and monitoring for anomalous network behavior—is key tor mitigating the risk of espionage and ransomware attacks.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.