In a recent development, the China Energy Engineering Corporation (CEEC), a state-owned entity operating in China’s energy and infrastructure sectors, has fallen victim to the Rhysida ransomware gang. The notorious cybercriminal group, known for its disruptive activities since May 2023, has added CEEC to its list of targets on its Tor leak site.
🚨 Energy China
China Energy Engineering Group ranks 3rd in ENR Top 150 Global Engineering Design Firms and 13th in ENR Top 250 Global Contractors.#ransomfeed #security #infosec #energychina pic.twitter.com/deRRximVPd
— Ransomfeed (@ransomfeed) November 25, 2023
CEEC, as one of China’s leading integrated energy companies, holds a significant position within the industry. It actively engages in the development and construction of diverse energy projects, spanning coal, hydropower, nuclear, and renewable energy initiatives. Beyond its national operations, CEEC also contributes to global energy landscapes through participation in international projects.
The Rhysida ransomware gang, which has recently expanded its list of victims to include institutions like the British Library, claims to have acquired a substantial cache of valuable data. This data is purportedly up for auction at the price of 50 Bitcoin. Notably, the group intends to sell the stolen information to a single buyer and plans to release it publicly over a seven-day period following the announcement.
This incident comes on the heels of a joint Cybersecurity Advisory (CSA) issued by the FBI and CISA as part of the ongoing #StopRansomware initiative. The advisory serves to alert organizations to the tactics, techniques, and procedures (TTPs) associated with ransomware groups, including Rhysida. It contains indicators of compromise (IOCs) identified through investigations as recent as September 2023.
The Rhysida ransomware group has targeted a broad spectrum of industries, affecting at least 62 companies. The victims range from the education and healthcare sectors to manufacturing, information technology, and government entities. These attacks are characterized as striking “targets of opportunity,” as detailed in the joint advisory.
The group’s modus operandi involves leveraging Rhysida ransomware to impact various sectors, with similarities noted between their activities and those of Vice Society (DEV-0832). Furthermore, the report reveals instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity. In this model, ransomware tools and infrastructure are leased out, with profits from paid ransoms shared between the group and its affiliates.
Rhysida actors employ several techniques for initial access and persistence within target networks. External-facing remote services, such as VPNs and RDPs, are exploited for initial access, while compromised credentials are used to authenticate internal VPN access points. The threat actors have also taken advantage of the Zerologon vulnerability in Microsoft’s Netlogon Remote Protocol through phishing attempts.
Living off-the-land techniques, utilizing native network administration tools built into the operating system, are a key aspect of the group’s malicious operations, according to the advisory. The ongoing activities of the Rhysida ransomware gang underscore the persistent and evolving threat landscape organizations face in the realm of cybersecurity.