Full Report
An RA World ransomware attack in November 2024 targeting an unnamed Asian software and services company involved the use of a malicious tool exclusively used by China-based cyber espionage groups, raising the possibility that the threat actor may be moonlighting as a ransomware player in an individual capacity. "During the attack in late 2024, the attacker deployed a distinct toolset that had
Analysis Summary
This report summarizes two distinct security incidents described in the provided context: the **RA World Ransomware Attack** and the **Salt Typhoon Exploits on Network Devices**.
# Incident Report: RA World Ransomware and Salt Typhoon Network Exploits
## Executive Summary
Two separate incidents were detailed: a November 2024 ransomware attack on an Asian software company leveraged tools previously associated with Chinese espionage groups (Mustang Panda/Bronze Starlight overlap), culminating in RA World encryption after using PlugX malware for covert access. Separately, the state-sponsored group Salt Typhoon exploited known vulnerabilities in Cisco network devices between December 2024 and January 2025 to breach multiple global telecommunications providers and universities, establishing persistent access via GRE tunnels.
## Incident Details
| Field | RA World Ransomware Incident | Salt Typhoon Incident |
| :--- | :--- | :--- |
| **Discovery Date** | Not explicitly detailed, but attack occurred in late 2024. | Activity observed between December 4, 2024, and January 23, 2025. |
| **Incident Date** | November 2024 (Ransomware deployment). | December 2024 – January 2025. |
| **Affected Organization** | Unnamed medium-sized software and services company. | US affiliate of a UK telecom provider, a South African telecom provider, an Italian ISP, a large Thai telecom provider, and universities globally. |
| **Sector** | Software and Services. | Telecommunications, Internet Service Provider, Education. |
| **Geography** | South Asia. | Global, with specific targets in the US, South Africa, Italy, Thailand, Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherlands, Vietnam. |
## Timeline of Events
### Initial Access (RA World Ransomware)
- **Date/Time:** Not specified, but preceded ransomware deployment in Nov 2024.
- **Vector:** Exploitation of a known security flaw in Palo Alto Networks PAN-OS software (CVE-2024-0012) was *claimed* by the attacker.
- **Details:** Access led to the deployment of espionage tools before the final ransomware stage.
### Initial Access (Salt Typhoon)
- **Date/Time:** Between Dec 4, 2024, and Jan 23, 2025.
- **Vector:** Exploitation of vulnerabilities in Cisco network devices (CVE-2023-20198 and CVE-2023-20273).
- **Details:** Attackers attempted to exploit over 1,000 devices globally.
### Lateral Movement (RA World Ransomware - Espionage Phase)
- **Details:** The use of the Toshiba legitimate executable (`toshdpdb.exe`) to sideload a malicious DLL (`toshdpapi.dll`) was observed, loading the encrypted PlugX payload. This is historically associated with espionage goals.
### Data Exfiltration/Impact (RA World Ransomware)
- **Details:** The attack culminated with the encryption of machines using RA World ransomware. Prior activity suggests data collection/espionage goals.
### Detection & Response (Salt Typhoon)
- **Details:** Detection based on communications between infected Cisco devices and threat actor infrastructure identified by Recorded Future’s Insikt Group.
- **Response Actions:** Not detailed, but standard network mitigation would apply (patching, investigation).
## Attack Methodology
| Phase | RA World Ransomware Attack (Linked to Bronze Starlight/Espionage Actor) | Salt Typhoon (Earth Estries, GhostEmperor, etc.) |
| :--- | :--- | :--- |
| **Initial Access** | Alleged PAN-OS vulnerability exploitation (CVE-2024-0012). | Exploitation of vulnerable Cisco device flaws (CVE-2023-20198, CVE-2023-20273). |
| **Persistence** | Demonstrated via PlugX deployment, historically used for maintaining backdoors. | Established post-compromise by changing device configuration to add a Generic Routing Encapsulation (GRE) tunnel. |
| **Privilege Escalation** | Implied via malware chain leading to PlugX. | Achieved elevated privileges on the compromised Cisco devices. |
| **Defense Evasion** | Use of DLL side-loading via legitimate binary (`toshdpdb.exe`) to load PlugX. | Exploitation of boundary network devices often lacking robust EDR controls. |
| **Credential Access** | Not specified. | Not specified, but focused on network device control. |
| **Discovery** | Classic espionage activity implied by toolset usage. | N/A (Focus was on device exploitation and tunnel setup). |
| **Lateral Movement** | PlugX deployment suggests remote command and control capabilities. | Setup of persistent tunnels for C2 and exfiltration directly from network appliances. |
| **Collection** | Likely occurred via PlugX, historically used for maintaining persistent presence. | Data exfiltration via the established GRE tunnel. |
| **Exfiltration** | Not explicitly detailed before encryption. | Data exfiltration over the established GRE tunnel infrastructure. |
| **Impact** | Machine encryption by RA World ransomware. | Gaining persistent access to critical network infrastructure. |
## Impact Assessment
| Field | RA World Ransomware Incident | Salt Typhoon Incident |
| :--- | :--- | :--- |
| **Financial** | Ransomware extorting payment implied. | Not quantified. |
| **Data Breach** | Not specified what data was potentially exposed or stolen prior to encryption. | Focus was on network persistence and exfiltration, targeting telecom/research data. |
| **Operational** | Business disruption due to machine encryption. | Potential disruption to telecommunication services and research integrity. |
| **Reputational** | Implied due to ransomware event. | Damage to associated institutions due to state-sponsored compromise. |
## Indicators of Compromise
*Note: In line with the request, specific technical IoCs are not provided as the source text only referenced vulnerability IDs.*
- **Network Indicators:** Communications observed between infected Cisco devices and threat actor infrastructure (specific C2 infrastructure not listed).
- **File Indicators:** Malicious DLL named `toshdpapi.dll` sideloaded by `toshdpdb.exe`; Encrypted PlugX payload.
- **Behavioral Indicators:** DLL side-loading via legitimate Toshiba binaries; Establishing persistent GRE tunnels on Cisco devices.
## Response Actions
**RA World Incident (Inferred):**
- **Containment:** Unknown.
- **Eradication:** Unknown.
- **Recovery:** Restoring systems encrypted by RA World.
**Salt Typhoon Incident (General Recommendations Cited):**
- **Containment/Eradication:** Not listed as actions taken, but the mitigation suggested applying security patches to publicly-accessible network devices.
- **Recovery:** Not listed as actions taken.
## Lessons Learned
1. **Attribution Gray Area:** Espionage groups (like those using PlugX tools) may "moonlight" as financially motivated ransomware actors, complicating attribution and threat assessment.
2. **Tool Reuse:** Highly specific, previously espionage-focused toolsets were repurposed for criminal extortion, suggesting actor adaptability or collaboration.
3. **Boundary Defense is Crucial:** State-sponsored actors (Salt Typhoon) heavily rely on exploiting unpatched, EoL, or boundary network appliances (like Cisco devices) lacking EDR protection as reliable entry points.
## Recommendations
1. **Prioritize Patching:** Organizations must immediately prioritize applying security patches and updates to all publicly-accessible network devices, especially those facing known threats (like Cisco and Palo Alto devices mentioned).
2. **Restrict Exposure:** Avoid exposing administrative interfaces or non-essential services of network infrastructure (especially EoL devices) directly to the internet.
3. **Monitor Toolset Crossovers:** Security teams should monitor for toolsets associated with known nation-state actors appearing in financially motivated incidents, as this suggests an evolving threat landscape.