Suspected Chinese government cyberattackers are seeking to disguise their hacking and digital spying efforts as ransomware activity, according to a new analysis from the security firms SentinelOne and Recorded Future.

The discovery of China-linked cyberspies masquerading as cybercriminals comes in the aftermath of U.S. officials warning they observed China’s Volt Typhoon attackers pre-positioning in American systems.

China’s National Computer Virus Emergency Response Center replied in April to U.S. officials’ alarm with the message that Volt Typhoon was truthfully a “ransomware group or other cybercriminals.”

In English-language posts on social media and an accompanying report, the Chinese center downplayed U.S. expressions of alarm and said money was the motivation for U.S. cyber officials and companies to blame China.

SentinelOne’s Aleksandar Milenkoski and Recorded Future’s Julian-Ferdinand Vogele do not buy it.

“We find this claim unpersuasive and at odds with available evidence, seeing it as an active attempt by China to portray its cyberespionage operations as cybercriminal in nature,” the security analysts said in a report published last week. “This attribution has understandably led to speculation within the threat intelligence community whether it can be interpreted as China admitting to seeing value in using ransomware activity to conceal its cyberespionage operations.”

The security firms also observed China-linked hackers using ransomware while pursuing espionage aims on behalf of the government.

SentinelOne’s Sentinel Labs teamed with cybersecurity firm Recorded Future to hunt China-linked cyberattackers who had targeted governments and critical infrastructure systems around the world between 2021 and 2023.

The firms identified ChamelGang, a suspected Chinese threat group, and observed it targeting an East Asian government organization and an aviation organization in India in 2023.

The firms’ report said ChamelGang was also likely responsible for ransomware attacks on the presidency of Brazil and a major Indian health care institution in 2022.

“ChamelGang is a persistent player in the global cyberespionage scene, showing considerable interest in the regions we observed being targeted,” the report said. “Chinese activities in East Asia and the Indian subcontinent are likely driven by strategic interests in these neighboring regions for several reasons.”

Pretending to be a ransomware attack as a guise for cyberespionage gives foreign adversaries plausible deniability to blame their hacking operations on the work of others and distracts those responding to breaches of sensitive systems.

“Misattributing cyberespionage activities as cybercriminal operations can result in strategic repercussions, especially in the context of attacks on government or critical infrastructure organizations,” the report said. “Insufficient information sharing between the local law enforcement organizations that typically handle ransomware cases and intelligence agencies could result in missed intelligence opportunities, inadequate risk assessment and diminished situational awareness.”

China’s suspected ransomware-reliant misdirection campaign is reminiscent of malicious activity spreading from Russia in recent years.

As ransomware ripped through American computer networks in 2021, questions spread about Moscow’s potential involvement in the cyberattacks and about Russian officials moonlighting with cybercriminal gangs. President Biden ultimately urged Russian President Vladimir Putin to help stop the onslaught of ransomware.

Foreign adversaries posing as cybercriminals have taken on new importance in America, however, amid U.S. officials warning of China burrowing into critical systems and officials investigating other hacks.

Last month, the Cybersecurity and Infrastructure Security Agency said hackers breached a tool the government used to gather information from facilities with chemicals that terrorists could weaponize.

CISA did not name the culprits and said it saw no evidence of data theft but noted the hackers may have accessed personnel and facilities’ information.

CISA said the vector for the breach involved Ivanti appliances, including Ivanti Connect Secure. Cybersecurity firm Mandiant tied recent problems with Ivanti Connect Secure in January to a “China-nexus espionage threat actor.”

• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.