Active since 2009, the Chinese threat actor Bronze Mohawk (also known APT40) has targeted companies, universities, and government organizations within a wide range of industries. The maritime research, robotics, and biomedical industries have all been victims of Bronze Mohawk and the threat actor has focused their attacks on the U.S., Canada, Europe, the Middle East, and South China Sea.
In July 2019, an indictment against Bronze Mohawk was unsealed by the U.S. Department of Justice. The indictment involved the state-sponsored threat actors using Hainan Xiandun Technology Development Company (Hainan Xiandun) as a front for their malicious cyber activities. Due to Bronze Mohawk’s activities, trade secrets, intellectual property, and other sensitive information has been stolen from organizations within the U.S., as well as foreign governments.
Today, Bronze Mohawk is keeping a low profile, but a recent discovery may link the threat actors to recent malware attacks. Let’s take a look at Bronze Mohawk and why we need to keep a watchful eye on cyber espionage.
Bronze Mohawk has several names, those names include: FeverDream, APT40, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Persiscope, and Temp.Jumper. In July 2019, four members of the group were charged with attacking governments, universities, and various companies across the globe on behalf of the Chinese government.
The four suspects were a part of a much larger operation which set up a company (Hainan Xiandun) as a front for their attack campaigns. According to the Intrusion Truth blog, Hainan Xiandun was under the direction of the Chinese Ministry of State Security (MSS) and an employee, Wu Shurong, worked as a hired hacker for the company. Shurong created malware and used it to compromise computer systems belonging to universities, governments, and companies.
The other three suspects were MSS officers who worked for the Hainan provincial department, their names are: Ding Xiaoyang, Cheng Qingmin, and Zhu Yunmin. The U.S. alleged that the MSS has directed Bronze Mohawk’s attack campaigns since 2011 – directing them to steal confidential business information for dissemination in China.
To access and operate their malware and hacking infrastructure, Bronze Mohawk (APT40) used the Tor network and often used email, GitHub, domains, servers, and Dropbox accounts to deploy their malware. GitHub was used to store malware, as well as stolen data, with the stolen data being concealed via steganography. Steganography is when threat actors hide a secret message behind something that isn’t a secret. In Bronze Mohawk’s case, they hid stolen information in images that mostly portrayed U.S. President, Donald Trump.
Between 2011 and 2018, Bronze Mohawk (APT40) was actively breaching targets in Cambodia, Germany, Indonesia, Malaysia, Norway, U.S., South Africa, the United Kingdom, Austria, Norway, Saudi Arabia, and Switzerland. The confidential information the threat actor stole includes specialty chemical formulas, sensitive technologies used for submersible and autonomous vehicles, and trade secrets related to proprietary genetic sequencing. Bronze Mohawk (APT40) also stole data from research institutes and universities which included research related to MERS, Marburg, Ebola, and tularemia.
According to the Department of Justice, the data was given to China to aid in securing contracts for state-owned enterprises within targeted countries, resulting in better contract bids for Chinese companies and gaining an edge on competitors. Hainan Xiandun was used in collaboration with Bronze Mohawk (APT40) and university staff to recruit hackers and linguists from the universities’ ranks to assist in potential intrusions.
Bronze Mohawk (APT40) used several tactics and techniques, as well as a large library of custom and open-source malware to gain initial access via user and administrator credentials. Their tactics and techniques also allowed them to enable lateral movement once inside a network and locate valuable assets to exfiltrate data. Bronze Mohawk used tool frameworks and malware to accomplish their goals which include:
In September 2017, Proofpoint observed spearphishing emails from a group targeting a U.S. shipbuilding company, as well as a U.S. university research center with ties to the military. The emails contained “Apply for Internship Position” in the subject and an attachment titled “resume.rtf”. A second attachment was titled “ARLUAS_FieldLog_2017-08-21.doc” and contained “Torpedo recovery experiment” as bait.
The spearphishing campaigns primarily targeted South China Sea. Bronze Mohawk (APT40) was discovered to be behind the attacks, utilizing Microsoft Excel and Word documents with macros to target an international law firm, as well as the Philippines Department of Justice. The backdoor Bronze Mohawk used includes:
Image 1: Email Sent with Malicious Intent to a Well-known Shipbuilder
According to Talos Intelligence, one tool that Bronze Mohawk (APT40) used heavily is China Chopper – a tool that allows them to remotely control the target system that needs to run a web server application before it can be targeted by the tool. Various state-sponsored threat actors have used the tool and Talos Intelligence observed Internet Information Services and Apache web servers compromised with China Chopper web shells. However, there is no data that reveals how the web shell was installed.
China Chopper is a public hacking tool. Threat actors are provided with a GUI that allows them to configure servers to connect to, as well as generate sever-side code that needs to be added to the targeted website code to communicate. The simple sever-code contains a single line of code and the backdoor supports .NET Active Server Pages or PHP.
Image 2: China Chopper GUI
Researchers aren’t sure if the simplicity of the server code was an intentional decision for the China Chopper developers to make detection more difficult. Additionally, researchers found a remote shell (Virtual Terminal) function in China Chopper that has an initial suggested command of ‘Netstat an|find “ESTABLISHED.”
Talos observed China Chopper in a few cyber espionage campaigns. The tool was used in a campaign targeting an Asian government organization. In the observed campaign, China Chopper was installed on web servers used to store confidential documents. The attackers’ goal was to obtain documents and database copies, which were automatically compressed using WinRAR.
Image 3: Command for WinRAR
China Chopper was also observed in a campaign targeting an organization in Lebanon. The campaign involved an auxiliary public website compromised by several attackers for different reasons. Also, Talos Intelligence observed China Chopper being used to compromise Asian web-hosting providers – with the most significant compromise involving several Windows servers over a 10-month period.
China Chopper has proven to be an effective entry point for attackers like Bronze Mohawk (APT40). It’s an old tool but it has allowed threat actors to install additional tools like web shells. China Chopper is still being used by threat actors who have various goals because it’s easy to use and very hard to connect to a specific group. Here is a list of other tools used by Bronze Mohawk (APT40):
The tool ShadowPad is a great example of the advanced nature of Chinese threat actors. In February 2022, researchers linked ShadowPad malware attacks to China’s civilian and military intelligence agencies. ShadowPad is a modular backdoor that’s recently been adopted by Chinese threat groups. According to a report by Secureworks, ShadowPad is decrypted in memory using a custom decryption algorithm.
“ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality." - Secureworks
ShadowPad is a remote access trojan that has been used by the government-sponsored threat group, Bronze Atlas (also known as APT41). The trojan maintains persistent access to compromised computers and executes arbitrary commands and next-stage payloads. So far, ShadowPad has been used in supply-chain attacks, distributed via NetSarang, ASUS, and CCleaner.
Bronze Atlas (APT41) was initially the only threat actor attributed to ShadowPad Malware attacks, but ShadowPad has been used by multiple Chinese threat actors since 2019. Secureworks attributed distinct activity clusters to Chinese nation-state groups that cooperate with the People’s Liberation Army Strategic Support Force (Chinese military).
Although Secureworks has not attributed Bronze Mohawk (APT40) to the ShadowPad malware attacks, Bronze Mohawk has been linked to Chinese military in the past. In 2016, an incident occurred that paralleled with China’s cyber activities. According to Mandiant, a U.S. Navy unnamed underwater vehicle (UUV) was seized by China’s People Liberation Army Navy (PLAN). Within one-year, Bronze Mohawk began targeting universities that conducted naval research, while masquerading as a UUV manufacturer. Given the use of ShadowPad by other MSS affiliated threat groups, there is reasonable probability that Bronze Mohawk could have access to ShadowPad or a similar type of tool.
Advanced persistent threat (APT) actors like Bronze Mohawk (APT40) and Bronze Atlas (APT41) continue to use spear-phishing and social engineering techniques to gain access to systems and networks for the sole purpose of leaking sensitive information. Their motives are varied and can include anything from trying to gain a competitive advantage to gaining information they can use to later carry out attacks for financial gain.
Although APT attacks can be difficult to attribute, data theft can still be detected. Unfortunately, sometimes, data theft may be the only clear indicator an organization has to lean on when they are under a cyber attack. There are two ways that your organization can recognize APTs in their networks and systems:
Your organization can detect advanced persistent threats by remembering the following:
Bronze Mohawk’s espionage activities targeting the U.S. and Western Europe are concerning. Although the threat actor has not made any large waves recently, the fact that they have access to remote access Trojans, such as ShadowPad, is enough to stay guarded. If you implement cyber security best practices and remain alert, then you can help keep your organization safe from APTs like Bronze Mohawk.
Once an APT like Bronze Mohawk (APT40) is inside a network, it can give them unlimited access to do further reconnaissance. Chinese APTs are some of the world’s oldest and most skilled when it comes to cyber espionage. Avertium is here to keep your organization safe and to mitigate any attacks caused by Chinese APTs like Bronze Mohawk:
Avertium recommends the following recommendations issued by CISA:
[T1583.001] Acquire Infrastructure: Domains
[T1585.002] Establish Accounts: Email Accounts
[T1585.001] Establish Accounts: Social Media Accounts
[T1133] External Remote Services
[T1566.001] Phishing: Spearphishing Attachment
[T1566.002] Phishing: Spearphishing Link
[T1190] Exploit Public-Facing Application
Bronze Mohawk (APT40)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.
Learn what threat hunting is, what it has gained so much popularity, how your business can benefit from its true value, and more.