Government employees on the island of Palau came into work on March 14 and booted up their computers like any other day. But when the Windows screens wouldn’t load they called up IT. 

They quickly discovered two separate ransom notes: one on a sheet of paper in the printer from the LockBit ransomware gang and one in a README text file put alongside Palau’s encrypted documents from the DragonForce ransomware gang.

Jay Anson, CISO of Palau’s Ministry of Finance, told Recorded Future News that his team was perplexed by the differing ransom notes and confused by the Tor links, which ransomware gangs use to communicate with victims, included in each note.

“What was odd was that in both the printed notes and the text file, the links that they provided us to negotiate a ransom were dead,” Anson said. “They went nowhere. We thought maybe they were the old LockBit links that didn’t go anywhere. So it wasn’t possible for us to negotiate our ransom.”

Anson and other members of the IT team immediately thought the apparent cyberattack was in response to a ceremony that took place on the same day where officials from Palau and the U.S. government convened to commemorate the Compact of Free Association (COFA) — a longstanding agreement that codifies the relationship between the two countries. 

“Our analysis was that this was a hit against the Palau government but also the ability of the U.S. to provide security for Palau, and in this case, cybersecurity,” Anson said. 

They quickly enacted the incident response plan that has been in place since the island dealt with another ransomware incident five years ago. 

Thankfully, much of Palau’s government still operates with paper. The attack encrypted a financial management information system that mostly contains public data. Some of the files had names, phone numbers and Palauan Social Security numbers. Anson said the government has about 1,800 employees.

But logs pulled from the incident do not show any evidence of data exfiltration, leading Anson and others to believe no data was stolen in the attack. 

Due to their experience with the previous attack, Palau was prepared and had backups of the data in the cloud, and within five days the government was able to restore the server that had been encrypted.

But as a consequence of the attack, the government had to pay employees with paper checks while the system was being restored, drawing media scrutiny. Anson said they did not want people to have to wait an extra day for their pay, which is why they opted to do payments by physical check. 

The government has since hired an incident response firm to help investigate the attack, and an initial analysis of system logs shows it is likely a government worker clicked a malicious phishing link that kickstarted the incident. 

The resolution of the incident has left one outstanding question: who did it?

Longstanding China issues

Anson said they never heard from either ransomware gang, leading them to believe it was either an attack by an activist or a ransomware-as-a-service operator paid to conduct the attack on someone else’s behalf. 

Palau’s government has had longstanding issues with China since it recognized Taiwan in December 1999, Anson said, and China and the U.S. have spent decades jockeying for control and support from the government of Palau. A presidential republic made up of about 340 islands north of Indonesia and east of the Philippines, Palau relies on the United States for defense, funding and some social services. 

From 2008 to 2015, the number of Chinese tourists grew from about 600 to more than 91,000 annually, injecting significant amounts of money into the island nation’s economy. China is still the largest direct investor in Palau, but in 2017 Beijing’s leaders limited the number of flights, effectively shutting off tourism to the island nation in the hopes that it would join other Pacific countries in rejecting their previous recognition of Taiwan.

China has also taken issue with some of Palau’s pacts with the U.S. government, which allow the U.S. military to operate freely in the Pacific region between bases in Hawaii, Guam and Japan. 

Cyber has played a pivotal role in China’s jockeying with the U.S. in the Pacific region. Last year, the U.S. alleged that Chinese hackers had dug deep into the networks of critical infrastructure across the island of Guam

<i>U.S. Capt. Charles Black explains his ship’s maneuvering capabilities to Palau government officials during a ship tour in April 2018. Credit: U.S. Pacific Fleet</i>“><figcaption class=U.S. Capt. Charles Black explains his ship’s maneuvering capabilities to Palau government officials during a ship tour in April 2018. Credit: U.S. Pacific Fleet

Despite the pressure from China, Palau’s government has refused to back down, instead seeking tourism from South Korea and Japan alongside more investment from the U.S. and India. 

But the country has struggled to rebound from the COVID-19 pandemic. Tourism is still only about 30% of what it once was, and the government has had to take out loans to stay afloat. It would make little sense for legitimate ransomware actors to target Palau’s government, Anson said. 

“It just doesn’t make sense if this was for financial gain. Plus, the timing of the highly-publicized Compact of Free Association ceremony is a strong indicator that this was more an attack on the reputation of Palau and the reputation of the U.S. to provide security to Palau,” Anson said. 

Palauan President Surangel Whipps Jr. publicly said during a press conference that the group behind the attack “likely originated from Malaysia with Chinese or Russian ties, although this is not confirmed.” Experts believe the DragonForce ransomware gang is based in Malaysia.

Anson said he and others investigating the incident did not think LockBit was behind the attack because of the recent law enforcement operation taking down the gang’s infrastructure. The group has been able to rebound but is posting a significantly lower volume of victims since the law enforcement operation was unveiled in February. 

Ransomware as cover

The Chinese Foreign Ministry did not respond to requests for comment but there is a long history of allegations that Chinese actors have used various strains of ransomware as cover for espionage operations. 

Cybersecurity firm SentinelOne published a report last year highlighting the use of ransomware by Bronze Starlight, a Chinese espionage group that uses ransomware “as a means of distraction or misattribution.”

Chinese malware was observed in use alongside ransomware campaigns from groups like LockFile, AtomSilo, NightSky, LockBit 2.0 and Pandora. Several of these ransomware strains have been used by Bronze Starlight hackers, according to Secureworks and Microsoft.

“It is noteworthy that Chinese cyber espionage threat actors are progressively refining their operational tactics in manners that obfuscate clear attribution through publicly available intelligence sources alone,” the SentinelOne researchers said.

Anson noted that Malaysia, where DragonForce is believed to be based, has deep ties to China. In addition to an attack on a U.S. lottery company, the group has largely targeted organizations in Australia, India and New Zealand. 

Several ransomware experts said they have either personally seen or heard of instances where espionage actors used ransomware as a means of covering their tracks.

Recorded Future Senior Security Architect Allan Liska said the tactics experienced by Palau have become China’s modus operandi when it comes to ransomware. (The Record is an editorially independent unit within Recorded Future.)

“Deploy the ransomware, but then don’t negotiate or accept payment,” Liska said, adding that this has been seen with the Cold Lock and DearCry ransomware groups. “It would make sense to use something like LockBit for this as well. My guess is that they are using one of the leaked LockBit encryptors, so they weren’t a LockBit affiliate, just a group with stolen code.” 

Liska said it is tough to know how often situations like this occur because victims do not appear on ransomware leak sites and tend to be more sensitive targets that do not reveal attacks publicly.

He cited one incident in 2020 when several of the largest oil and gas companies in Taiwan were attacked with ransomware in a still-unexplained incident.

Emsisoft ransomware expert Brett Callow said proxying attacks via known cybercriminal enterprises is a logical way for nation-state actors to obfuscate their involvement, and can make attribution challenging. 

“The ransomware operators may not even know who they’re collaborating with,” he said.