A cyber-espionage group dubbed Bronze President has been targeting countries in South and East Asia.
Researchers at Secureworks' Counter Threat Unit (CTU) have observed the group spying on the activities of political and law enforcement organizations and NGOs.
The threat group seems to have developed its own remote access tools, which it uses alongside publicly available remote access and post-compromise toolsets to gain entry to a network.
Using publicly available open-source tools could be a deliberate ploy by the group to cover its tracks and reduce the risk of attribution.
Once inside, the threat actors elevate their privileges and install malware on a large proportion of systems. Bronze President then runs custom batch scripts to collect specific file types and takes proactive steps to minimize detection of its activities.
The threat actors appear to be monitoring their targets as they steal data from compromised systems over a long period of time. Countries that have been targeted include India and Mongolia.
Activity from the threat actors has been observed by Secureworks' researchers since mid-2018, but it's is thought that the group may have started causing trouble as early as 2014.
Among the group's phishing lures, researchers found emails suggesting an interest in national security, humanitarian, and law enforcement organizations in East, South, and Southeast Asia.
Researchers believe the Bronze President group is operating from a base within the People's Republic of China (PRC).
Connections were found between a subset of the group's operational infrastructure and PRC-based internet service providers. Furthermore, the group uses tools such as PlugX that have historically been leveraged by threat groups based in the PRC.
"It is likely that Bronze President is sponsored or at least tolerated by the PRC government. The threat group's systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups," wrote Secureworks' researchers.
The operational tactics of the group indicate that the crew behind it are highly organized.
Researchers noted: "Bronze President has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession. The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences."