BRONZE ATLAS

BRONZE ATLAS has been operating since at least 2007. CTU researchers assess with high confidence that the group’s intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors. The group primarily use scan-and-exploit and phishing for initial access and enable their intrusions through theft of code signing certificates from technology and gaming organizations. CTU researchers have linked BRONZE ATLAS to targeted attacks on organizations in the pharmaceuticals, media, human rights, fossil fuels and agriculture sectors. The group has also been publicly linked to the high collateral supply chain compromises leveraging software updates for Ccleaner and Netsarang to compromise users in 2017. BRONZE ATLAS is also known as APT41, Axiom or Winnti in public reporting.