The advanced persistent threat (APT) group known since 2013 as BRONZE UNION, as well as Emissary Panda, APT 27 and LuckyMouse, is believed to be based in China, according to Secureworks.
Published today, the State of the [BRONZE] UNION Snapshot and A Peek into BRONZE UNION’S Toolbox, are based on nearly two years of continuous,in-depth visibility of the group’s threat campaigns.
Researchers have tracked the group’s activities, including its persistent and long-term approach to espionage, and their analysis of network compromises suggests that since 2016 BRONZE UNION has been using a range of capabilities and tactics to target data mostly from political, technology, manufacturing and humanitarian organizations.
Focused on espionage activities, the threat group’s tactics ranged from stealing data about cutting-edge weapons technologies to spying on dissidents and other civilian groups, according to researchers.
Using stolen credentials, the threat actors have been able to compromise business email accounts and then use that access to perform different tasks from keyword searches to downloading email attachments and data.
The arsenal of intrusion methods and tools used by the group have been problematic for defenders as the sophisticated skills of the attacks allows them to evade common security tools and escalate their privileges, according to the report.
The group often uses services, tools and credentials native to the compromised environment, a technique commonly known as living off the land. "After obtaining access to a network, the threat actors are diligent about maintaining access to high-value systems over long periods of time,” researchers wrote.
A distinguishing pattern of the BRONZE UNION activity is that they seem to have a routing maintenance schedule where they return to compromised networks every three months. Researchers suspect that this schedule aligns with the time frame many organizations use to force password changes.
“The threat actors have access to a wide range of tools, so they can operate flexibly and select tools appropriate for intrusion challenges. During complex intrusion scenarios, the threat actors leverage their proprietary tools, which offer custom functionality and lower detection rates.”