Secureworks: Likely China-based Bronze President cyber espionage group targets NGO’s networks, political and law enforcement organizations in South and East Asia
Bronze President, a cyber espionage group, is targeting South and East Asia. It has been discovered by Secureworks cyber security experts. The threat actor, likely People’s Republic of China (PRC)-based, uses both proprietary and publicly available tools to target multiple NGO’s networks, as well as political and law enforcement organizations in countries in South and East Asia. Some of the phishing lures suggest an interest in national security, humanitarian, and law enforcement organizations. It appears to have developed its own remote access tools that it uses alongside publicly available remote access and post-compromise toolsets. After compromising a network, the malicious hackers elevate their privileges and install malware on a large proportion of systems. The group runs custom batch scripts to collect specific file types and takes proactive steps to minimize detection of its activities.
The cyber security experts: The threat actor maintains long-term access to a targeted network and could have access to malware development capabilities
According to the cyber security experts, Bronze President has deployed a variety of remote access tools. The use of new ones suggests that the cyber espionage group could have access to malware development capabilities. The threat actor also uses widely available or modified open-source tools, which could be a strategic effort to reduce the risk of attribution or to minimize the need for tool development resources. Following a network compromise, the malicious hackers typically delete their tools and processes. However, the group is content leaving some malware on the network, likely to provide a contingency if other access channels are removed. When the group’s activities were detected in one incident, it had elevated privileges and had maintained access to the targeted environment for several months. This finding indicates the group’s effectiveness at maintaining long-term access to a targeted network.