Gorodenkoff - stock.adobe.com

Chinese cyber attack group Bronze Union targeting weapons tech

Weapons technology is among the latest targets of a highly adaptable cyber espionage group that uses a wide range of publicly available and custom attack tools, presenting a challenge to network defenders

Cyber attack group Bronze Union has attempted to steal data on cutting-edge weapons technologies as well as spy on dissidents and other civilian groups, according to researchers.

The group – also known as Emmissary Panda, LuckyMouse and APT 27 – is believed to be located mainly in China and focuses on collecting political and military intelligence, according to the researchers of the counter threat unit at Secureworks who have been tracking the group since 2013.

Analysis of Bronze Union’s network reveals broad targeting, a range of capabilities, flexible tactics and a persistent focus, according to a report on the group’s espionage tools.

Since 2016, Secureworks analysts have observed Bronze Union targeting a variety of data from political, technology, manufacturing and humanitarian organisations.

In 2017 and 2018, the threat actors used an extensive arsenal of tools and intrusion methods to achieve their aims, which the researchers said creates challenges for frontline network defenders and incident responders.

In 2018, the researchers found evidence that Bronze Union was using updated variants of attack tools that had been publicly available for years. For example, the group was using an updated version of the ZxShell remote access Trojan (RAT) that was developed in 2006, with the source code made public in 2007.

“Although various threat actors have created different variations of the RAT, the version used by Bronze Union in 2018 contained some previously unobserved properties that suggest the threat group’s capabilities continue to evolve,” the report said, namely that the updated malware embedded the well-known HTran packet redirection tool and the malware was signed with digital certificates.

In addition to publicly available tools, Bronze Union has also used proprietary remote access tools such as SysUpdate and HyperBro since 2016. Despite self-developed tools generally benefitting from lower detection rates than publicly available tools, the report said the threat actors appear to use their own tools more sparingly after securing consistent network access.

SysUpdate is a multi-stage malware used exclusively by Bronze Union, the report said. It has been delivered by multiple methods, including malicious Word documents using the dynamic data exchange (DDE) embedded command method.

The researchers said it is flexible malware because capabilities can be easily introduced and withdrawn by supplying a new payload file, and that by withdrawing payloads when not in use, operators can limit exposure of their full capabilities if the malicious activity is detected. 

The threat actors are adept at circumventing common security controls and escalating their privileges, the report said, typically using services, tools and credentials native to the compromised environment, which is known as living off the land.

After obtaining access to a network, the researchers said the threat actors are diligent about maintaining access to high-value systems over long periods of time, typically returning to compromised networks every three months to verify their access to existing web shells, refresh their access to credentials, and in some instances revisit data of interest.

The researchers note that the choice of a three-month maintenance schedule could be an attempt to align with the frequency with which many organisations change passwords.

Another common practice by the group is to use stolen credentials to access business email accounts and search for specific keywords and individuals in significant roles. Bronze Union has also used email access to download email attachments and data, and to log into victims’ instant messenger services.

The researchers said Bronze Union is one of the most prolific and active targeted threat groups that they have tracked, noting that the level of sophistication and adaptability of the threat group is extremely rare.

This is demonstrated, they said, by the group’s ability to target both defence data from technology and manufacturing firms, and in parallel, political data from humanitarian organisations.

The researchers said their analysis suggests that the threat actors use a loose set of operational processes and workflows, but are familiar with a wide range of tools and methods. This flexibility enables them to overcome barriers and challenges during the intrusion process, the researchers said.

Any organisation that is likely to be targeted by Bronze Union should implement security controls and risk management strategies that defend against the threat group’s tactics, techniques and procedures, the researchers said.

They also recommend that high-risk organisations implement network and endpoint security technologies that detect anomalous behaviour, rather than relying on detecting only known malware or attacker infrastructure in light of the flexibility of the threat group and the high rate of change in its attack methods.

Read more cyber attack groups

Read more on Hackers and cybercrime prevention