Chinese Cyber-Espionage Group Targeted NGOs for Years
A cyber-espionage group supposedly linked to the Chinese government is targeting non-governmental organizations (NGOs) in South and East Asia, Secureworks has revealed.
Referred to as BRONZE PRESIDENT, the group may have been active since at least 2014, also targeting political and law enforcement organizations and using both proprietary and publicly available tools to monitor the activity of targeted organizations, discredit their work, or steal their intellectual property.
The hackers use custom batch scripts to collect either specific file types or all files from a targeted NGO’s systems, as well as credentials from high-privilege network accounts and sensitive accounts, including social media and webmail.
Evidence suggests the group has been targeting political and law enforcement organizations in countries such as Mongolia and India. The hackers appear interested in national security, humanitarian, and law enforcement organizations in East, South, and Southeast Asia, Secureworks says.
BRONZE PRESIDENT targets NGOs that conduct research on issues relevant to China, the group’s infrastructure is linked to entities in China, a subset of the group’s operational infrastructure is linked to China-based Internet service providers, and the hackers leverage tools such as PlugX, which have historically been used by Chinese threat groups.
Although the group appears sponsored or at least tolerated by the Chinese government, its “systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups,” Secureworks researchers note.
On the compromised networks, the threat actor elevates privileges to admin level on all systems and installs remote access tools on most computers. The hackers are able to maintain access to the compromised networks for months or even years, the security researchers say.
BRONZE PRESIDENT is using a broad range of remote access tools, including some not previously seen by the researchers, but also widely available or modified open-source tools — either to hinder attribution or minimize the use of development resources.
In addition to custom batch scripts, BRONZE PRESIDENT was observed using tools such as the Cobalt Strike penetration testing tool, the PlugX remote access trojan (RAT), ORat loader, the RCSession basic RAT, Nbtscan command-line tool, Nmap network scanning tool, and Wmiexec.
Other malware artifacts were found on systems compromised by the group, but there was no evidence that the hackers used the malware in their intrusions. One of these artifacts was related to the China Chopper malware, which was apparently installed on the compromised system in the timeframe that BRONZE PRESIDENT had access to that system.
Post-compromise tools observed on the hacked systems include a Powerview.ps1 (PowerShell-based module for network reconnaissance), PVE Find AD User (command-line tool to find login locations of Active Directory (AD) users), AdFind (command-line tool to conduct AD queries), NetSess (enumerates NetBIOS sessions), Netview (enumerates networks), and TeamViewer (remote control and desktop-sharing tool).
Some of the group’s command and control (C&C) servers were hosted on infrastructure owned by Dutch VPS provider Host Sailor, Hong Kong-based New World Telecoms, and Malaysia-based Shinjiru Technology.
On the compromised systems, BRONZE PRESIDENT targets specific data types (including doc, xls, xlsx, ppt, pptx, pdf, and txt) and uses custom batch scripts to create a list of files that are archived for exfiltration. One batch script can collect all files stored on a specific user’s desktop.
“BRONZE PRESIDENT has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession. The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences. It is likely that BRONZE PRESIDENT has additional unobserved operational tools and capabilities,” Secureworks concludes.