china

BRONZE RIVERSIDE

Objectives

Espionage

Aliases

CTG-5938 (SCWX CTU), CVNX (BAE Applied Intelligence), MenuPass (Trend Micro), APT10 (FireEye), Red Apollo (PWC), Stone Panda (CrowdStrike), POTASSIUM (Microsoft), Hogfish (iDefense)

Tools

QuasarRAT, RedLeaves, PoisonIvy, ChChes, QuasarRAT Loader, PlugX, ANEL, Cobalt Strike

SUMMARY

In April 2017, the UK National Cyber Security Centre disclosed a global campaign by the BRONZE RIVERSIDE threat group targeting providers of managed IT infrastructure services. Also in early 2017, third party researchers linked infrastructure, malware functionality and passwords previously associated with BRONZE RIVERSIDE to targeted phishing attempts on individuals in Japanese academic pharmaceutical and manufacturing organizations.

BRONZE RIVERSIDE, also known as APT10, Stone Panda, the MenuPass group and other names, has been active since at least 2009 and has historically targeted government, aerospace and defense organizations. In subsequent years, the scope of BRONZE RIVERSIDE targeting expanded. It is a significant threat to organizations producing intellectual property in industry verticals that have been identified as strategically important by the Chinese state; or to any organizations who provide managed IT infrastructure services to those who do. The scale and persistence of this activity is indicative of a well-resourced and capable actor, although it also raises questions around the organizational structure of Chinese threat groups and the degree to which access and infrastructure might be being shared across threat groups.

Public disclosures in early 2017 forced BRONZE RIVERSIDE to modify tools and infrastructure. Third party reporting also suggests that the group has adopted tools including the ANEL backdoor and Cobalt Strike.

CTU researchers have not observed any targeting of Secureworks clients since August 2018 but considers the group to be very much active, even if their tools and techniques have changed. Organizations should ensure that they know what their critical information assets are and have applied layered defense to protect them, with a focus on prevention, detection and response. The exploitation of managed IT service providers as an intrusion vector highlights the importance of privileged account management, use of two factor authentication, and security auditing of service providers.

Contact Us

Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.