Introduction
BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies. The threat group typically uses scan-and-exploit for initial access, deploys the China Chopper webshell for remote execution and persistence, and creates RAR archives with a β.jpgβ file extension for data exfiltration. In July 2020 the U.S. Department of Justice indicted two Chinese hackers CTU researchers assess are members of the BRONZE SPRING threat group. The Department of Justice allege these hackers were responsible for compromising networks of hundreds of organisations and individuals in the U.S. and abroad since 2009, and that exfiltrated data would be passed to the Chinese Ministry of State Security or sold for financial gain.
Activities and Tactics
Targeted Sectors: Information technology, Medical, Civil engineering, Business, Education, Gaming, Energy, Pharmaceuticals, Defense industrial base
Country of Origin: π¨π³ China
Suspected Victims: United States, Australia, Belgium, Germany, Japan, Lithuania, Netherlands, Spain, South Korea, Swedenβ¦
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- China Chopper
- RemoteCMD
- RTM
- Remote Utilities
- RemotePC
- Xploit
- Archelaus Beta
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
References pending cataloguing.