Pierluigi Paganini January 07, 2020

A cyber-espionage group tracked as Bronze President has been targeting countries in South and East Asia, Secureworks experts warn.

Researchers at Secureworks’ Counter Threat Unit (CTU) have uncovered a cyber espionage campaign carried out by an APT group tracked as Bronze President, The Bronze President group is targeting political and law enforcement organizations and NGOs in Asia.

The China-based group has been active at least since 2014, it leverages both custom remote access tools and publicly available remote access and post-compromise to compromise target networks.

“BRONZE PRESIDENT is a likely People’s Republic of China (PRC)-based targeted cyberespionage group that uses both proprietary and publicly available tools to target NGO networks.” reads the post published by Secureworks. “Secureworks® Counter Threat Unit™ (CTU) researchers have observed BRONZE PRESIDENT activity since mid-2018 but identified artifacts suggesting that the threat actors may have been conducting network intrusions as far back as 2014.”

Once compromed a network, the attackers will elevate their privileges and install malware on a large proportion of systems. The group runs custom batch scripts to collect specific file types and takes proactive steps to minimize detection of its activities.

Using publicly available open-source tools could be a deliberate ploy by the group to cover its tracks and reduce the risk of attribution.

Once gained access to a target network, the threat actors elevate their privileges and install malware on its systems, it uses custom batch scripts to collect specific file types (including files with .pptx, .xlsx, .pdf extensions) and attempt to hide its presence.

Attackers also collect credentials from high-privilege network accounts and reputationally sensitive accounts, such as social media and webmail accounts

Researchers pointed out that threat actors attempt to remain in the compromised networks over a long period of time.

The BRONZE PRESIDENT targeted entities in countries adjacent to the PRC, including Mongolia and India, they used spear-phishing messages aimed at individuals and organizations with an interest in national security, humanitarian, and law enforcement organizations in East, South, and Southeast Asia.

Experts suspect that the group is linked to the Chinese government due to the following evidence;

• BRONZE PRESIDENT’s infrastructure is linked to entities within the PRC.
• There are several connections between a subset of the group’s operational infrastructure and PRC-based Internet service providers.
• The tools used well-known tools such as PlugX that have been used in multiple campaigns associated with China-linked threat actors.

Connections were found between a subset of the group’s operational infrastructure and PRC-based internet service providers. Furthermore, the group uses tools such as PlugX that have historically been leveraged by threat groups based in the PRC.

“It is likely that Bronze President is sponsored or at least tolerated by the PRC government. The threat group’s systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups,” continues Secureworks. 

The TTPs of the group suggests that the group is a highly organized state-sponsored actor.

“Bronze President has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession.” concludes the report. “The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences.”

Pierluigi Paganini

(SecurityAffairs – Bronze President, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]