Tonto Team

πŸ”΄ High
Also known as: Bisonal (malware), BRONZE HUNTLEY, CactusPete, COPPER, Copper Typhoon, Earth Akhlut, G0131, Karma Panda, KARMA PANDA, Lone Ranger, PLA Unit 65017, Red Beifang, Sharp-R, TAG-74, Tonto Team

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017). Kaspersky CactusPete Aug 2020 ESET Exchange Mar 2021 FireEye Chinese Espionage October 2019 ARS Technica China Hack SK April 2017 Trend Micro HeartBeat Campaign January 2013 Talos Bisonal 10 Years March 2020

🌍 Country China
⚑ Risk Level High
🧭 ATT&CK G0131
Military Government Private sector

Targeted Victims

Eastern Europe Japan South Korea Taiwan United States

Associated Operations

Seven Pointed Dagger

Introduction

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017). Kaspersky CactusPete Aug 2020 ESET Exchange Mar 2021 FireEye Chinese Espionage October 2019 ARS Technica China Hack SK April 2017 Trend Micro HeartBeat Campaign January 2013 Talos Bisonal 10 Years March 2020

Activities and Tactics

Targeted Sectors: Military, Government, Private sector

Country of Origin: πŸ‡¨πŸ‡³ China

Risk Level: High

Suspected Victims: Eastern Europe, Japan, South Korea, Taiwan, United States

Notable Campaigns

  • Seven Pointed Dagger

Tactics, Techniques, and Procedures (TTPs)

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • RoyalRoad RTF Weaponizer:

MITRE ATT&CK Software

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

[1] mitre-attack [7] TrendMicro Tonto Team October 2020 Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. [8] CrowdStrike Manufacturing Threat July 2020 Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021. [9] ESET Exchange Mar 2021 Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021. [10] Talos Bisonal Mar 2020 Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. [11] FireEye Chinese Espionage October 2019 Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved November 17, 2024. [12] Trend Micro HeartBeat Campaign January 2013 Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021. [13] ARS Technica China Hack SK April 2017 Sean Gallagher. (2017, April 21). Researchers claim China trying to hack South Korea missile defense efforts. Retrieved October 17, 2021. [14] Secureworks BRONZE HUNTLEY Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021. [15] Kaspersky CactusPete Aug 2020 Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. [11] Trend Micro HeartBeat Campaign January 2013