Research

Details on BRONZE VINEWOOD, Implicated in Targeting of the U.S. Election Campaign

The likely China-based targeted threat group has been active since at least 2017, using a combination of custom and native tools to steal data from its targets

Details on BRONZE VINEWOOD, implicated in targeting of the U.S. election campaign

On June 4, 2020, Google’s Threat Analysis Group reported active targeting of U.S. election campaigns by the Chinese BRONZE VINEWOOD (also known as APT31 and ZIRCONIUM) and Iranian COBALT ILLUSION (also known as APT35) threat groups. A Microsoft security researcher subsequently confirmed a high level of BRONZE VINEWOOD activity since early April 2020.

Despite evidence that BRONZE VINEWOOD has been active since at least 2017, very little information about the group has been publicly released. Secureworks® Counter Threat Unit™ (CTU) researchers have previously observed BRONZE VINEWOOD targeting legal, consulting, and software development organizations in the U.S. and Europe, particularly organizations that provide services to government and defense companies.

The threat actors’ primary focus is to steal information that could be valuable to the People’s Republic of China. They have leveraged intrusions to pivot to networks of the victims’ customers, highlighting the growing tactic of attacking a supply chain to reach an ultimate target.

To provide insight into some of BRONZE VINEWOOD’s previously observed tactics, techniques, and procedures (TTPs), CTU researchers are publicly releasing threat intelligence that was previously published to Secureworks clients:


Some of those observed techniques are not particularly novel but are highly effective:

  • Exploiting vulnerable third-party software and other techniques to gain initial access
  • Using online code and document repositories for command and control (C2) communications
  • Employing custom remote access trojans (RATs), publicly available tools, and native operating system utilities to hinder attribution
  • Implementing DLL search-order hijacking of a variety of applications to load malware
  • Stealing privileged domain credentials on a regular schedule, likely to align with the rolling window of an organization's password reset policy
  • ‘Parking’ C2 domains on 127.0.0.1 when not in use to reduce identification of malicious network traffic
  • Using WinRAR to archive data of interest prior to exfiltration from the environment

Although BRONZE VINEWOOD may have modified its TTPs since these documents were written, the insights could provide organizations with knowledge to detect and respond to this threat within their environment.

Learn more threat insights and hear directly from CTU researchers at the Secureworks Global Threat Intelligence Summit, June 30, 2020.


ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM

The Secureworks Counter Threat Unit™ (CTU) is a dedicated threat research team that analyzes threat data across our global customer base and actively monitors the threat landscape.
Back to all Blogs

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Try Taegis Today

Request a demo to see how Taegis can reduce your risk, optimize your existing security investments, and fill your talent gaps.