Researchers at Secureworks’ Counter Threat Unit (CTU) have uncovered a cyber espionage campaign carried out by an APT group tracked as Bronze President, The Bronze President group is targeting political and law enforcement organizations and NGOs in Asia.
The China-based group has been active at least since 2014, it leverages both custom remote access tools and publicly available remote access and post-compromise to compromise target networks.
“BRONZE PRESIDENT is a likely People’s Republic of China (PRC
Using publicly available open-source tools could be a deliberate ploy by the group to cover its tracks and reduce the risk of attribution.
Once gained access to a target network, the threat actors elevate their privileges and install malware on its systems, it uses custom batch scripts to collect specific file types (including files with
Attackers also collect credentials from high-privilege network accounts and
Researchers pointed out that threat actors attempt to remain in the compromised networks over a long period of time.
The BRONZE PRESIDENT targeted entities in countries adjacent to the PRC, including Mongolia and India, they used spear-phishing messages aimed at individuals and organizations with an interest in national security, humanitarian, and law enforcement organizations in East, South, and Southeast Asia.
Experts suspect that the group is linked to the Chinese government due to the following evidence;
Connections were found between a subset of the group’s operational infrastructure and PRC-based internet service providers. Furthermore, the group uses tools such as PlugX that have historically been leveraged by threat groups based in the PRC.
“It is likely that Bronze President is sponsored or at least tolerated by the PRC government. The threat group’s systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups,” continues Secureworks.
The TTPs of the group suggests that the group is a highly organized state-sponsored actor.
“Bronze President has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession.” concludes the report. “The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences.”
(SecurityAffairs – Bronze President, hacking)