Bronze President has potentially shifted from Asia to focus on Russia as the invasion of Ukraine continues.
Also known as Mustang Panda, TA416, or RedDelta, the Chinese cyberespionage group has been active since at least 2018 and has traditionally focused on gathering intelligence from NGOs, research institutes, and internet service providers (ISPs).
Past countries and regions on the hit list include Europe, Mongolia, Russia, Vietnam, and South Africa.
According to Secureworks Counter Threat Unit (CTU), the group is either "sponsored or at the very least tolerated by the Chinese government" and "appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine."
Recent campaigns have primarily focused on Southeast Asia, with targets infiltrated for "political and economic" data theft and ongoing, long-term surveillance. However, CTU says that Bronze President has now pivoted to Russian speakers alongside European organizations.
"This suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the People's Republic of China (PRC)," the researchers say.
Government-sponsored -- or, perhaps, tolerated -- cyberattackers are tasked with activities that will benefit their government somehow. This often includes intelligence-gathering, spying, and activities that improve situational awareness, especially in times of conflict.
These activities don't only include 'enemies' or 'hostile' states -- it also extends to who a country considers an ally or friend.
CTU suggests that the recent Bronze President shift could indicate "an attempt by China to deploy advanced malware to computer systems of Russian officials."
Bronze President is suspected of targeting the Russian military. The team analyzed a malicious executable called "Blagoveshchensk - Blagoveshchensk Border Detachment.exe," which was disguised with a .PDF icon and heavily obfuscated to hide a downloader for PlugX malware. (The city of Blagoveshchensk is close to the Chinese border and is home to part of the Russian military.)
If executed, the file will display a decoy document (written in English, oddly), which describes the refugee situation and EU sanctions. In the background, a downloader grabs PlugX from a command-and-control (C2) server previously tied to campaigns in Europe.
PlugX is a Remote Access Trojan (RAT) capable of file exfiltration, executing remote command shells, establishing a backdoor, and deploying additional malicious payloads.
Bronze President has a wide range of tools, including Cobalt Strike, the China Chopper backdoor, RCSession, and ORat, at its disposal.
In March, ESET said the group was taking advantage of the war to spread a new Korplug/PlugX RAT variant, dubbed Hodur, via Ukraine & Russia-themed phishing campaigns.
In other cybersecurity news related to Russia and Ukraine, Aqua Security has been tracking the use of cloud repositories by those on both sides of the conflict.
The researchers found that 40% of public repositories with descriptions or names linked to the invasion, including tools and guides, promoted denial-of-service (DoS) activities "aimed at disrupting the network traffic of online services."
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0