An extensive cyber espionage campaign has been uncovered that is aimed at NGOs (non-governmental organizations) and law enforcement and government agencies located in South and East Asia. In the course of the campaign the threat actor leveraged custom code, as well as publicly available exploits and malware to compromise target networks, researchers at Secureworks’ Counter Threat Unit warn.
The bad actor, referred to as Bronze President, has been active since at least 2014 and is thought to be a China-based cyberespionage group that uses both proprietary and publicly available tools to target NGO networks, monitor their activities, discredit their work, or to steal their intellectual property. According to researchers, the group uses custom remote access tools alongside publicly available remote access and post-compromise toolsets.
Once a target network is compromised, the Bronze President group elevates its privileges, installs remote access tools on most systems in the network and runs custom batch scripts to collect specific file types (files with .pptx, .xlsx, .pdf extensions), or all files from a targeted NGO’s systems, as well as credentials from high-privilege network accounts and sensitive accounts, including social media and webmail.
The Secureworks’ team said that the latest attacks mainly targeted entities in major Asian countries such as Mongolia, India and China with the focus on the national security, humanitarian, and law enforcement organizations.
“It is likely that BRONZE PRESIDENT is sponsored or at least tolerated by the PRC government. The threat group's systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups,” the researchers said.
In addition to custom batch scripts, the group uses a variety of remote access tools, including ones that were not previously observed by researchers. Its hacking arsenal also includes widely available or modified open-source tools likely to thwart an attribution or to minimize the need for tool development resources. Bronze President was observed using tools such as the Cobalt Strike penetration testing tool, the PlugX remote access trojan (RAT), ORat loader, the RCSession basic RAT, Nbtscan command-line tool, Nmap network scanning tool, and Wmiexec.
Post-compromise tools observed on the compromised computers include a Powerview.ps1 (PowerShell-based module for network reconnaissance), PVE Find AD User (command-line tool to indificate login locations of Active Directory (AD) users), AdFind (command-line tool to conduct AD queries), NetSess (enumerates NetBIOS sessions), Netview (enumerates networks), and TeamViewer (remote control and desktop-sharing tool).
“BRONZE PRESIDENT has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession. The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences. It is likely that BRONZE PRESIDENT has additional unobserved operational tools and capabilities,” the team concluded.
Additional information on the observed cyberespionage campaign, as well as IOCs, is available in a Secureworks’ Counter Threat Unit write-up here.