Details on BRONZE VINEWOOD, Implicated in Targeting of the U.S. Election CampaignThe likely China-based targeted threat group has been active since at least 2017, using a combination of custom and native tools to steal data from its targets By: Counter Threat Unit Research Team
On June 4, 2020, Google’s Threat Analysis Group reported active targeting of U.S. election campaigns by the Chinese BRONZE VINEWOOD (also known as APT31 and ZIRCONIUM) and Iranian COBALT ILLUSION (also known as APT35) threat groups. A Microsoft security researcher subsequently confirmed a high level of BRONZE VINEWOOD activity since early April 2020.
Despite evidence that BRONZE VINEWOOD has been active since at least 2017, very little information about the group has been publicly released. Secureworks® Counter Threat Unit™ (CTU) researchers have previously observed BRONZE VINEWOOD targeting legal, consulting, and software development organizations in the U.S. and Europe, particularly organizations that provide services to government and defense companies.
The threat actors’ primary focus is to steal information that could be valuable to the People’s Republic of China. They have leveraged intrusions to pivot to networks of the victims’ customers, highlighting the growing tactic of attacking a supply chain to reach an ultimate target.
To provide insight into some of BRONZE VINEWOOD’s previously observed tactics, techniques, and procedures (TTPs), CTU researchers are publicly releasing threat intelligence that was previously published to Secureworks clients:
- BRONZE VINEWOOD Targets Supply Chains
- DropboxAES Remote Access Trojan
- BRONZE VINEWOOD Uses HanaLoader to Target Government Supply Chain
Some of those observed techniques are not particularly novel but are highly effective:
- Exploiting vulnerable third-party software and other techniques to gain initial access
- Using online code and document repositories for command and control (C2) communications
- Employing custom remote access trojans (RATs), publicly available tools, and native operating system utilities to hinder attribution
- Implementing DLL search-order hijacking of a variety of applications to load malware
- Stealing privileged domain credentials on a regular schedule, likely to align with the rolling window of an organization's password reset policy
- ‘Parking’ C2 domains on 127.0.0.1 when not in use to reduce identification of malicious network traffic
- Using WinRAR to archive data of interest prior to exfiltration from the environment
Although BRONZE VINEWOOD may have modified its TTPs since these documents were written, the insights could provide organizations with knowledge to detect and respond to this threat within their environment.
Learn more threat insights and hear directly from CTU researchers at the Secureworks Global Threat Intelligence Summit, June 30, 2020.