Security News > 2020 > January > Chinese Cyber-Espionage Group Targeted NGOs for Years
Referred to as BRONZE PRESIDENT, the group may have been active since at least 2014, also targeting political and law enforcement organizations and using both proprietary and publicly available tools to monitor the activity of targeted organizations, discredit their work, or steal their intellectual property.
BRONZE PRESIDENT targets NGOs that conduct research on issues relevant to China, the group's infrastructure is linked to entities in China, a subset of the group's operational infrastructure is linked to China-based Internet service providers, and the hackers leverage tools such as PlugX, which have historically been used by Chinese threat groups.
Although the group appears sponsored or at least tolerated by the Chinese government, its "Systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups," Secureworks researchers note.
In addition to custom batch scripts, BRONZE PRESIDENT was observed using tools such as the Cobalt Strike penetration testing tool, the PlugX remote access trojan, ORat loader, the RCSession basic RAT, Nbtscan command-line tool, Nmap network scanning tool, and Wmiexec.
"BRONZE PRESIDENT has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession. The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences. It is likely that BRONZE PRESIDENT has additional unobserved operational tools and capabilities," Secureworks concludes.