Chinese Ghost Hackers Hit Hospitals And Factories In America And U.K.

The world of cybercrime is a complex and ever-evolving landscape, with various groups operating under different motives and tactics. However, one group in particular has been making headlines recently for its financially motivated attacks on organizations across the globe. Meet the Ghost hackers, a group from China that has been leaving a trail of destruction in their wake.

According to a new report by Rebecca Harpur at Blackfog, the Ghost threat campaigns are operated by a financially motivated group from China and don't have any known state affiliations. This means that they are not acting on behalf of the government, but rather driven by profit rather than espionage. The attacks are part of a larger campaign to extort money from organizations across more than 70 countries.

The Ghost hackers have been rebranding themselves over the years, going by names such as Cring, Crypt3r, and Hello, as well as a closely related Phantom moniker. By constantly changing their name, they make it more difficult for authorities to pin down their activities as one group. However, this hasn't stopped the Cybersecurity and Infrastructure Security Agency and the FBI from issuing a joint advisory warning of the dangers that Ghost presents to organizations across the globe.

How the Ghost Hackers Operate

The Blackfog threat intelligence report warned that the Ghost attacks follow a familiar playbook. Here's an overview of how they operate:

  • Initial access is gained through public-facing systems via unpatched vulnerability exploitation, including virtual private network appliances and web and email servers.
  • A backdoor is installed using web shells and tools such as Cobalt Strike to maintain stealthy access. New user accounts are created, and security software is disabled having escalated system privileges.
  • The attackers spread to other systems on the network and exfiltrate sensitive data to their own servers.
  • A ransomware payload (often named Ghost.exe or Cring.exe) is deployed across the network, scrambling files and making them unusable. Backups are wiped out, and a ransom note appears on each system.

The FBI advisory provides detailed recommendations for mitigating these attacks, but in the meantime, here's a quick cybersecurity blueprint to help protect your organization:

Ghost Cybersecurity Blueprint

To avoid falling victim to the Ghost hackers' tactics, organizations should take the following steps:

  • Regularly patch and update public-facing systems to prevent vulnerability exploitation.
  • Use secure protocols for virtual private network appliances and web servers.
  • Implement robust security software and monitoring tools to detect suspicious activity.
  • Avoid opening suspicious emails, especially those from unknown senders.

Stay vigilant and stay informed. The Ghost hackers are a threat to organizations across the globe, and it's essential to take proactive steps to protect your business from their attacks.