A group of hackers believed to be based in China has launched a sophisticated campaign targeting a range of organisations in politics, technology, manufacturing and humanitarian relief.
The collective, known as Bronze Union and APT 27, has been spotted spying on dissidents and stealing data about cutting-edge weapons technologies, researchers at Secureworks have revealed.
The security vendor’s counter threat unit has been tracking the group since 2013, but despite a number of public disclosures, it has remained active and continues to refine its methods of attack.
Sign up to Emerging Threats, our weekly cyber security newsletter
“Bronze Union is one of the most prolific and active targeted threat groups tracked by CTU researchers as of this publication,” Secureworks’ researchers wrote in a blogpost.
“CTU analysis suggests that the threat actors use a loose set of operational processes and workflows but are familiar with a wide range of tools and methods. This flexibility enables them to overcome barriers and challenges during the intrusion process.”
The group is skilled in bypassing standard security measures and then using the compromised target’s services, tools and credentials to extract sensitive data while evading detection.
“After obtaining access to a network, the threat actors are diligent about maintaining access to high-value systems over long periods of time,” the researchers wrote. “They typically return to compromised networks every three months (see Figure 1) to verify their access to existing web shells, refresh their access to credentials, and in some instances revisit data of interest.” It’s believed that schedule is timed to coincide with password changed.
To mitigate the threat, Secureworks advised organisations which could be at risk of being targeted by the threat group to use security software that focuses on anomalous behaviour, given “the flexibility and change rate of Bronze Union’s methods”.