Skip to Main ContentSkip to Footer
Research

Details on BRONZE VINEWOOD, Implicated in Targeting of the U.S. Election Campaign

The likely China-based targeted threat group has been active since at least 2017, using a combination of custom and native tools to steal data from its targets

Details on BRONZE VINEWOOD, implicated in targeting of the U.S. election campaign
June 24, 2020

On June 4, 2020, Google’s Threat Analysis Group reported active targeting of U.S. election campaigns by the Chinese BRONZE VINEWOOD (also known as APT31 and ZIRCONIUM) and Iranian COBALT ILLUSION (also known as APT35) threat groups. A Microsoft security researcher subsequently confirmed a high level of BRONZE VINEWOOD activity since early April 2020.

Despite evidence that BRONZE VINEWOOD has been active since at least 2017, very little information about the group has been publicly released. Secureworks® Counter Threat Unit™ (CTU) researchers have previously observed BRONZE VINEWOOD targeting legal, consulting, and software development organizations in the U.S. and Europe, particularly organizations that provide services to government and defense companies.

The threat actors’ primary focus is to steal information that could be valuable to the People’s Republic of China. They have leveraged intrusions to pivot to networks of the victims’ customers, highlighting the growing tactic of attacking a supply chain to reach an ultimate target.

To provide insight into some of BRONZE VINEWOOD’s previously observed tactics, techniques, and procedures (TTPs), CTU researchers are publicly releasing threat intelligence that was previously published to Secureworks clients:


Some of those observed techniques are not particularly novel but are highly effective:

  • Exploiting vulnerable third-party software and other techniques to gain initial access
  • Using online code and document repositories for command and control (C2) communications
  • Employing custom remote access trojans (RATs), publicly available tools, and native operating system utilities to hinder attribution
  • Implementing DLL search-order hijacking of a variety of applications to load malware
  • Stealing privileged domain credentials on a regular schedule, likely to align with the rolling window of an organization's password reset policy
  • ‘Parking’ C2 domains on 127.0.0.1 when not in use to reduce identification of malicious network traffic
  • Using WinRAR to archive data of interest prior to exfiltration from the environment

Although BRONZE VINEWOOD may have modified its TTPs since these documents were written, the insights could provide organizations with knowledge to detect and respond to this threat within their environment.

Learn more threat insights and hear directly from CTU researchers at the Secureworks Global Threat Intelligence Summit, June 30, 2020.

ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM
Secureworks Counter Threat Unit™ (CTU) researchers frequently serve as expert resources for the media, publish technical analyses for the security community, and speak about emerging threats at security conferences. Leveraging Secureworks’ advanced security technologies and a network of industry contacts, the CTU™ research team tracks threat actors and analyzes anomalous activity, uncovering new attack techniques and threats. This process enables CTU researchers to identify threats as they emerge and develop countermeasures that protect customers before damage can occur.
Revenir aux blogs

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

ESSAYEZ TAEGIS DÈS AUJOURD'HUI !

Voyez par vous-même : Demandez votre démo pour voir comment Taegis peut réduire les risques, optimiser les investissements de sécurité existants et pallier la pénurie de talents.