BRONZE FIRESTONE

BRONZE FIRESTONE is a threat group that CTU researchers assess with moderate confidence operates on behalf of China. It has targeted data from organizations within the technology, financial services, manufacturing, defense and government verticals. Also known as APT19, BRONZE FIRESTONE likely comprises a portion of the Deep Panda superset. The group has been active since at least 2010, when their tools were delivered through a strategic web compromise of the Nobel Peace Prize website that leveraged a 0-day in the Firefox browser.

BRONZE FIRESTONE appears to have access to the Derusbi source code, on the basis that it was observed deploying slightly modified versions of the tool immediately after previous versions had been removed from compromised hosts. The group has also used PlugX, 9002 (aka NAID), Alice’s Rabbit Hole (MadHatter), Briba and Zuguo (aka Chinoxy) and is known to use cloud infrastructure from Google, Amazon web services and Dropbox for command and control. In the past BRONZE FIRESTONE infrastructure has overlapped with that of BRONZE KEYSTONE and BRONZE UNION. From January 2017, BRONZE FIRESTONE was also observed delivering cryptomining tools to compromised hosts. As of late 2017, the group was targeting legal firms for data exfiltration and technology providers for command and control infrastructure building.