Chinese cyberespionage group targets U.S. Govt and Defense
The U.S. National Security Agency has issued a joint cybersecurity advisory highlighting a cluster of activity it attributes to a People's Republic of China state-sponsored threat group.
Secureworks' Counter Threat Unit (CTU) researchers attribute this activity to Bronze Silhouette, referred to in the advisory as Volt Typhoon, and have observed the threat group conducting network intrusion operations against U.S government and defense organisations since 2021.
The tactics, techniques, and procedures (TTPs) and victimology observed during Secureworks' incident response (IR) engagements suggest Bronze Silhouette targets organisations for intelligence-gathering purposes that are in alignment with the requirements of the PRC.
The threat group has demonstrated careful consideration for operational security such as the use of preinstalled binaries to live off the land, incorporation of defense evasion techniques, and reliance on compromised infrastructure to prevent detection and attribution of its intrusion activity, and to blend in with legitimate network activity.
June 2021 IR engagement
During a June 2021 engagement, Secureworks' incident responders discovered that Bronze Silhouette had gained initial access to the compromised organisation's single-factor Citrix environment via a domain administrator account. It is unclear how the threat actors obtained these credentials. Bronze Silhouette moved laterally to another web server and dropped a simple Java-based web shell. Secureworks' incident responders observed the threat actors execute a series of reconnaissance commands via the web shell.
September 2021 IR engagement
Bronze Silhouette reappeared in a September 2021 Secureworks' IR engagement against an organisation in the U.S. The threat actors gained initial access by exploiting a vulnerability in an internet-facing ManageEngine ADSelfService Plus server (likely CVE-2021-40539). Bronze Silhouette deployed a web shell and interacted with it to run reconnaissance commands using built-in Windows tools such as net user, nltest, netstat, and systeminfo.
June 2022 IR engagement
During a June 2022 engagement, Secureworks incident responders discovered that Bronze Silhouette had deployed a single web shell to multiple servers across the environment after likely exploiting an internet-facingPRTG Network Monitorserver. The web shell was also a derivative of the Awen web shell but included key modifications such as the addition of AES encryption and decryption for command and control (C2) communications. Based on web shell file creation timestamps, the network was likely compromised in May 2021.
The threat actors used WMI to execute the native vssadmin command on a domain controller to create a volume shadow copy. They then extracted the ntds.dit AD database and the SYSTEM registry hive from the volume shadow copy.
Secureworks incident responders observed the threat actors using 7-Zip to create an archive file containing the SYSTEM registry hive and ntds.dit, likely for exfiltration. A few days later, the threat actors moved laterally to a ManageEngine ADSelfService Plus server and ran reconnaissance commands. One command revealed Bronze Silhouette searching for one of its C2 IP addresses.
A CTU investigation into the attacker-controlled C2 infrastructure revealed at least three PRTG servers belonging to other organisations. This discovery suggests that Bronze Silhouette targets vulnerable PRTG servers for initial access into a target environment and to establish its C2 infrastructure.
Bronze Silhouette: A member of the new wave of Chinese threat groups?
CTU analysis of the direct observations from Bronze Silhouette intrusions reveals a threat group that favours web shells for persistence and relies on short bursts of activity primarily involving living-off-the-land binaries to achieve its objectives. For example, the June 2021 IR engagement determined that the threat actors were inside the compromised network for only 90 minutes before obtaining the ntds.dit AD database. The threat actors also take steps to identify and remove evidence of their presence on a network, such as inspecting server logs for their C2 IP address and deleting files used during their intrusions.
Bronze Silhouette's use of other organisations' compromised servers in its C2 proxy network may help obfuscate the source of the intrusion activity and make attribution more challenging. In some intrusions, the C2 communications could blend in with legitimate business network traffic to reduce the likelihood of detection.
Bronze Silhouette has consistently focused on operational security, including a minimal intrusion footprint, incorporation of defense evasion techniques, and use of compromised infrastructure in multiple intrusions. This focus suggests a high level of operational maturity and adherence to a blueprint designed to reduce the likelihood of the detection and attribution of its intrusion activity. This attention to operational security, particularly when targeting Western organisations, is consistent with network compromises that CTU researchers have attributed to Chinese threat groups in recent years. These tradecraft developments have likely been driven by a series of high-profile U.S. Department of Justice indictments of Chinese nationals allegedly involved in cyberespionage activity, public exposures of this type of activity by security vendors, and the consequential likely increased pressure from PRC leadership to avoid public scrutiny of its cyberespionage activity.
Bronze Silhouette likely operates on behalf the PRC. The targeting of U.S. government and defense organisations for intelligence gain aligns with PRC requirements, and the tradecraft observed in these engagements overlap with other state-sponsored Chinese threat groups.