Rhysida Ransomware Group Claims Attack on China Energy Engineering Corporation

November 25, 2023

The Rhysida ransomware group has announced a cyberattack on the China Energy Engineering Corporation (CEEC), a prominent state-owned energy company in China. The company has a significant presence in the energy and infrastructure sectors, participating in the development and construction of a variety of energy projects. These projects span coal, hydropower, nuclear, and renewable energy initiatives, both domestically and internationally.

The ransomware group has claimed to have exfiltrated a significant amount of 'impressive data' and is currently auctioning it for 50 Bitcoin (BTC). The data is intended to be sold to a single buyer, with the group planning to publicly release the data over the seven days following the announcement.

Recently, the British Library was added to the Rhysida ransomware group's list of victims on its Tor leak site. In response to these attacks, the FBI and CISA issued a joint Cybersecurity Advisory (CSA) to caution about Rhysida ransomware attacks. This advisory is a part of the ongoing #StopRansomware initiative, which provides information about the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with ransomware groups. The advisory includes IOCs and TTPs identified through investigations conducted as recently as September 2023.

The Rhysida ransomware group has been operational since May 2023. According to the group’s Tor leak site, at least 62 companies have fallen victim to their operations. The group has targeted organizations across various industries, including education, healthcare, manufacturing, information technology, and government. The group's victims are classified as 'targets of opportunity.'

The joint advisory states, 'Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. Open source reporting details similarities between Vice Society (DEV-0832)[1] activity and the actors observed deploying Rhysida ransomware.' Furthermore, it was noted that Rhysida actors operate in a ransomware-as-a-service (RaaS) model, renting out ransomware tools and infrastructure in a profit-sharing arrangement. Any ransoms paid are then divided between the group and its affiliates.

Rhysida actors exploit external-facing remote services like VPNs and RDPs to gain initial access to the target network and ensure persistence. They used compromised credentials to authenticate to internal VPN access points. The advisory also notes that the threat actors have exploited Zerologon (CVE-2020-1472) in Microsoft’s Netlogon Remote Protocol in their phishing attempts. They also rely on living off-the-land techniques, using built-in network administration tools to execute malicious operations.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.