On May 24, 2023, the U.S. National Security Agency (NSA) issued a joint cybersecurity advisory highlighting a cluster of activity it attributes to a People's Republic of China (PRC) state-sponsored threat group. Secureworks® Counter Threat Unit™ (CTU) researchers attribute this activity to BRONZE SILHOUETTE (referred to in the advisory as Volt Typhoon) and have observed the threat group conducting network intrusion operations against U.S government and defense organizations since 2021. The tactics, techniques, and procedures (TTPs) and victimology observed during Secureworks incident response (IR) engagements suggest BRONZE SILHOUETTE targets organizations for intelligence-gathering purposes that are in alignment with the requirements of the PRC. The threat group has demonstrated careful consideration for operational security such as the use of preinstalled binaries to “live off the land,” incorporation of defense evasion techniques, and reliance on compromised infrastructure to prevent detection and attribution of its intrusion activity, and to blend in with legitimate network activity.
June 2021 IR engagement
During a June 2021 engagement, Secureworks incident responders discovered that BRONZE SILHOUETTE had gained initial access to the compromised organization's single-factor Citrix environment via a domain administrator account. It is unclear how the threat actors obtained these credentials. BRONZE SILHOUETTE moved laterally to another web server and dropped a simple Java-based web shell (AuditReport.jspx). Secureworks incident responders observed the threat actors execute a series of reconnaissance commands via the web shell (see Figure 1).
Figure 1. Reconnaissance commands issued through Java-based web shell. (Source: Secureworks)
BRONZE SILHOUETTE then wrote Base64-encoded text to C:\Windows\Temp\ntuser.ini and decoded it to C:\Windows\Temp\iisstart.aspx via the certutil command (see Figure 2).
Figure 2. Web shell written to disk, decoded, and copied to remote web server. (Source: Secureworks)
The iisstart.aspx file is a C# web shell that is likely a derivative of the Awen web shell and is used for remote command execution (see Figure 3). The threat actors copied the web shell to a second web server in the environment and used it to gather system information via the ‘whoami' and ‘tasklist' commands.
Figure 3. Snippet from the C# web shell deployed by BRONZE SILHOUETTE. (Source: Secureworks)
Secureworks incident responders observed BRONZE SILHOUETTE using the AuditReport.jspx web shell to perform the following tasks on the first web server:
Used Windows Management Instrumentation (WMI) to execute the Ntdsutil Active Directory (AD) management tool on the domain controller (see Figure 4). This command creates a copy of the ntds.dit AD database for credential attacks such as pass the hash or offline password hash cracking.
Figure 4. Credential dumping using Ntdsutil. (Source: Secureworks)
- Copied the ntds.dit database to the web server via xcopy, compressed the database as a multi-volume password-protected archive via 7-Zip, and saved the volumes to a public-facing directory on the same server with legitimate-sounding filenames and a .gif extension.
- Used the rd command with the /S switch to delete the threat actors' working directories and files.
The threat actors then exfiltrated the dumped AD database to an external IP address. This IP address belonged to a compromised server at an organization in the same vertical as the compromised organization.
September 2021 IR engagement
BRONZE SILHOUETTE reappeared in a September 2021 Secureworks IR engagement against an organization in the U.S. The threat actors gained initial access by exploiting a vulnerability in an internet-facing ManageEngine ADSelfService Plus server (likely CVE-2021-40539). BRONZE SILHOUETTE deployed a web shell (ReportGenerate.jsp) and interacted with it to run reconnaissance commands using built-in Windows tools such as net user, nltest, netstat, and systeminfo (see Figure 5).
Figure 5. BRONZE SILHOUETTE reconnaissance commands. (Source: Secureworks)
Secureworks incident responders observed the threat actors executing ADSSPlus.exe, which is a renamed csvde.exe file. The csvde.exe command-line utility provides import and export functionality for Lightweight Directory Access Protocol (LDAP) repositories. The threat actors used the '-f' switch, which exports a list of AD objects to the ADSSPlus.dat file (see Figure 6).
Figure 6. Threat actor command to export AD objects to ADSSPlus.dat. (Source: Secureworks)
BRONZE SILHOUETTE used the Windows makecab command to compress the ADSSPlus.dat file into a cabinet (.cab) file, but Secureworks incident responders did not observe the threat actor exfiltrating the file.
June 2022 IR engagement
During a June 2022 engagement, Secureworks incident responders discovered that BRONZE SILHOUETTE had deployed a single web shell to multiple servers across the environment after likely exploiting an internet-facing PRTG Network Monitor server. The web shell was also a derivative of the Awen web shell but included key modifications such as the addition of AES encryption and decryption for command and control (C2) communications. Based on web shell file creation timestamps, the network was likely compromised in May 2021.
The threat actors used WMI to execute the native vssadmin command on a domain controller to create a volume shadow copy. They then extracted the ntds.dit AD database and the SYSTEM registry hive from the volume shadow copy (see Figure 7).
Figure 7. Threat actor WMI commands to extract the ntds.dit database. (Source: Secureworks)
Secureworks incident responders observed the threat actors using 7-Zip to create an archive file containing the SYSTEM registry hive and ntds.dit, likely for exfiltration. A few days later, the threat actors moved laterally to a ManageEngine ADSelfService Plus server and ran reconnaissance commands. One command revealed BRONZE SILHOUETTE searching for one of its C2 IP addresses (see Figure 8).
Figure 8. Threat actor commands run under the ManageEngine Java process. (Source: Secureworks)
A CTU investigation into the attacker-controlled C2 infrastructure revealed at least three PRTG servers belonging to other organizations. This discovery suggests that BRONZE SILHOUETTE targets vulnerable PRTG servers for initial access into a target environment and to establish its C2 infrastructure.
BRONZE SILHOUETTE: A member of the new wave of Chinese threat groups?
CTU analysis of the direct observations from BRONZE SILHOUETTE intrusions reveals a threat group that favors web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives. For example, the June 2021 IR engagement determined that the threat actors were inside the compromised network for only 90 minutes before obtaining the ntds.dit AD database. The threat actors also take steps to identify and remove evidence of their presence on a network, such as inspecting server logs for their C2 IP address and deleting files used during their intrusions.
BRONZE SILHOUETTE's use of other organizations' compromised servers in its C2 proxy network may help obfuscate the source of the intrusion activity and make attribution more challenging. In some intrusions, the C2 communications could blend in with legitimate business network traffic to reduce the likelihood of detection.
BRONZE SILHOUETTE has consistently focused on operational security, including a minimal intrusion footprint, incorporation of defense evasion techniques, and use of compromised infrastructure in multiple intrusions. This focus suggests a high level of operational maturity and adherence to a blueprint designed to reduce the likelihood of the detection and attribution of its intrusion activity. This attention to operational security, particularly when targeting Western organizations, is consistent with network compromises that CTU researchers have attributed to Chinese threat groups in recent years. These tradecraft developments have likely been driven by a series of high-profile U.S. Department of Justice indictments of Chinese nationals allegedly involved in cyberespionage activity, public exposures of this type of activity by security vendors, and the consequential likely increased pressure from PRC leadership to avoid public scrutiny of its cyberespionage activity.
BRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense organizations for intelligence gain aligns with PRC requirements, and the tradecraft observed in these engagements overlap with other state-sponsored Chinese threat groups.
To mitigate exposure to this threat, CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 1. Note that IP addresses can be reallocated. The IP addresses may contain malicious content, so consider the risks before opening them in a browser.
|006c4a5950f75c2c9049cda1a62c09a0||MD5 hash||Web shell (iisstart.aspx) used by BRONZE SILHOUETTE|
|4d3572cfc8460fe0299377f6bc05d865a987529f||SHA1 hash||Web shell (iisstart.aspx) used by BRONZE SILHOUETTE|
|SHA256 hash||Web shell (iisstart.aspx) used by BRONZE SILHOUETTE|
|af3a81605aa8e29c8be9e91d2ce19fc1||MD5 hash||Base64-encoded web shell (ntuser.ini) used by BRONZE SILHOUETTE|
|a9e32e2bd499c1070f4e0b5a6d85119f1aa0a778||SHA1 hash||Base64-encoded web shell (ntuser.ini) used by BRONZE SILHOUETTE|
|SHA256 hash||Base64-encoded web shell (ntuser.ini) used by BRONZE SILHOUETTE|
|670545a24a2ce2ac7a0e863790bfe2e1||MD5 hash||Java web shell (AuditReport.jspx) used by BRONZE SILHOUETTE|
|4ba6b043313c8d163f2ab7c4505c8b9b8cd68061||SHA1 hash||Java web shell (AuditReport.jspx) used by BRONZE SILHOUETTE|
|SHA256 hash||Java web shell (AuditReport.jspx) used by BRONZE SILHOUETTE|
|22.214.171.124||IP address||BRONZE SILHOUETTE C2 server|
|126.96.36.199||IP address||BRONZE SILHOUETTE C2 server|
|188.8.131.52||IP address||BRONZE SILHOUETTE C2 server|
Table 1. Indicators for this threat.