Active since 2009, the Chinese threat actor Bronze Mohawk (also known APT40) has targeted companies, universities, and government organizations within a wide range of industries. The maritime research, robotics, and biomedical industries have all been victims of Bronze Mohawk and the threat actor has focused their attacks on the U.S., Canada, Europe, the Middle East, and South China Sea.
In July 2019, an indictment against Bronze Mohawk was unsealed by the U.S. Department of Justice. The indictment involved the state-sponsored threat actors using Hainan Xiandun Technology Development Company (Hainan Xiandun) as a front for their malicious cyber activities. Due to Bronze Mohawk’s activities, trade secrets, intellectual property, and other sensitive information has been stolen from organizations within the U.S., as well as foreign governments.
Today, Bronze Mohawk is keeping a low profile, but a recent discovery may link the threat actors to recent malware attacks. Let’s take a look at Bronze Mohawk and why we need to keep a watchful eye on cyber espionage.
bronze mohawk (apt40)
Bronze Mohawk has several names, those names include: FeverDream, APT40, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MUDCARP, Periscope, Temp.Persiscope, and Temp.Jumper. In July 2019, four members of the group were charged with attacking governments, universities, and various companies across the globe on behalf of the Chinese government.
The four suspects were a part of a much larger operation which set up a company (Hainan Xiandun) as a front for their attack campaigns. According to the Intrusion Truth blog, Hainan Xiandun was under the direction of the Chinese Ministry of State Security (MSS) and an employee, Wu Shurong, worked as a hired hacker for the company. Shurong created malware and used it to compromise computer systems belonging to universities, governments, and companies.
The other three suspects were MSS officers who worked for the Hainan provincial department, their names are: Ding Xiaoyang, Cheng Qingmin, and Zhu Yunmin. The U.S. alleged that the MSS has directed Bronze Mohawk’s attack campaigns since 2011 – directing them to steal confidential business information for dissemination in China.
Tactics & Techniques
To access and operate their malware and hacking infrastructure, Bronze Mohawk (APT40) used the Tor network and often used email, GitHub, domains, servers, and Dropbox accounts to deploy their malware. GitHub was used to store malware, as well as stolen data, with the stolen data being concealed via steganography. Steganography is when threat actors hide a secret message behind something that isn’t a secret. In Bronze Mohawk’s case, they hid stolen information in images that mostly portrayed U.S. President, Donald Trump.
Between 2011 and 2018, Bronze Mohawk (APT40) was actively breaching targets in Cambodia, Germany, Indonesia, Malaysia, Norway, U.S., South Africa, the United Kingdom, Austria, Norway, Saudi Arabia, and Switzerland. The confidential information the threat actor stole includes specialty chemical formulas, sensitive technologies used for submersible and autonomous vehicles, and trade secrets related to proprietary genetic sequencing. Bronze Mohawk (APT40) also stole data from research institutes and universities which included research related to MERS, Marburg, Ebola, and tularemia.
According to the Department of Justice, the data was given to China to aid in securing contracts for state-owned enterprises within targeted countries, resulting in better contract bids for Chinese companies and gaining an edge on competitors. Hainan Xiandun was used in collaboration with Bronze Mohawk (APT40) and university staff to recruit hackers and linguists from the universities’ ranks to assist in potential intrusions.
Bronze Mohawk (APT40) used several tactics and techniques, as well as a large library of custom and open-source malware to gain initial access via user and administrator credentials. Their tactics and techniques also allowed them to enable lateral movement once inside a network and locate valuable assets to exfiltrate data. Bronze Mohawk used tool frameworks and malware to accomplish their goals which include:
- Using steganography to hide stolen data inside other files stored on GitHub
- Use of domain typosquatting for C2 infrastructure
- Protocol impersonation by using API keys for Dropbox accounts in commands to upload stolen data to make it appear that the activity was legitimate use of the Dropbox service
- Protocol tunneling and multi-hop proxies including the use of Tor
- Archive, encrypt, and stage collected data locally and remotely for exfiltration
- Exfiltration over C2 channel – CISA
In September 2017, Proofpoint observed spearphishing emails from a group targeting a U.S. shipbuilding company, as well as a U.S. university research center with ties to the military. The emails contained “Apply for Internship Position” in the subject and an attachment titled “resume.rtf”. A second attachment was titled “ARLUAS_FieldLog_2017-08-21.doc” and contained “Torpedo recovery experiment” as bait.
The spearphishing campaigns primarily targeted South China Sea. Bronze Mohawk (APT40) was discovered to be behind the attacks, utilizing Microsoft Excel and Word documents with macros to target an international law firm, as well as the Philippines Department of Justice. The backdoor Bronze Mohawk used includes:
- Information gathering (IE version, OS version, OS 64-bit/32-bit, etc.)
- Overwriting registry settings to reduce malware visibility on system
- Download file
- Upload file
- Execute a command with cscript
- Execute shell command
- Execute a dll (via an embedded ‘MockDll')
- Get proxy info
- Get process list
- Terminate process
- Get drive info
- GET request to a URL
- POST request to a URL – com
Image 1: Email Sent with Malicious Intent to a Well-known Shipbuilder
According to Talos Intelligence, one tool that Bronze Mohawk (APT40) used heavily is China Chopper – a tool that allows them to remotely control the target system that needs to run a web server application before it can be targeted by the tool. Various state-sponsored threat actors have used the tool and Talos Intelligence observed Internet Information Services and Apache web servers compromised with China Chopper web shells. However, there is no data that reveals how the web shell was installed.
How Does China Chopper Work?
China Chopper is a public hacking tool. Threat actors are provided with a GUI that allows them to configure servers to connect to, as well as generate sever-side code that needs to be added to the targeted website code to communicate. The simple sever-code contains a single line of code and the backdoor supports .NET Active Server Pages or PHP.
Image 2: China Chopper GUI
Researchers aren’t sure if the simplicity of the server code was an intentional decision for the China Chopper developers to make detection more difficult. Additionally, researchers found a remote shell (Virtual Terminal) function in China Chopper that has an initial suggested command of ‘Netstat an|find “ESTABLISHED.”
Talos observed China Chopper in a few cyber espionage campaigns. The tool was used in a campaign targeting an Asian government organization. In the observed campaign, China Chopper was installed on web servers used to store confidential documents. The attackers’ goal was to obtain documents and database copies, which were automatically compressed using WinRAR.
Image 3: Command for WinRAR
China Chopper was also observed in a campaign targeting an organization in Lebanon. The campaign involved an auxiliary public website compromised by several attackers for different reasons. Also, Talos Intelligence observed China Chopper being used to compromise Asian web-hosting providers – with the most significant compromise involving several Windows servers over a 10-month period.
China Chopper has proven to be an effective entry point for attackers like Bronze Mohawk (APT40). It’s an old tool but it has allowed threat actors to install additional tools like web shells. China Chopper is still being used by threat actors who have various goals because it’s easy to use and very hard to connect to a specific group. Here is a list of other tools used by Bronze Mohawk (APT40):
- Cobalt Strike
- Derusbi Trojan
shadowpad malware attacks
The tool ShadowPad is a great example of the advanced nature of Chinese threat actors. In February 2022, researchers linked ShadowPad malware attacks to China’s civilian and military intelligence agencies. ShadowPad is a modular backdoor that’s recently been adopted by Chinese threat groups. According to a report by Secureworks, ShadowPad is decrypted in memory using a custom decryption algorithm.
“ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality." - Secureworks
ShadowPad is a remote access trojan that has been used by the government-sponsored threat group, Bronze Atlas (also known as APT41). The trojan maintains persistent access to compromised computers and executes arbitrary commands and next-stage payloads. So far, ShadowPad has been used in supply-chain attacks, distributed via NetSarang, ASUS, and CCleaner.
Bronze Atlas (APT41) was initially the only threat actor attributed to ShadowPad Malware attacks, but ShadowPad has been used by multiple Chinese threat actors since 2019. Secureworks attributed distinct activity clusters to Chinese nation-state groups that cooperate with the People’s Liberation Army Strategic Support Force (Chinese military).
Although Secureworks has not attributed Bronze Mohawk (APT40) to the ShadowPad malware attacks, Bronze Mohawk has been linked to Chinese military in the past. In 2016, an incident occurred that paralleled with China’s cyber activities. According to Mandiant, a U.S. Navy unnamed underwater vehicle (UUV) was seized by China’s People Liberation Army Navy (PLAN). Within one-year, Bronze Mohawk began targeting universities that conducted naval research, while masquerading as a UUV manufacturer. Given the use of ShadowPad by other MSS affiliated threat groups, there is reasonable probability that Bronze Mohawk could have access to ShadowPad or a similar type of tool.
Advanced persistent threat (APT) actors like Bronze Mohawk (APT40) and Bronze Atlas (APT41) continue to use spear-phishing and social engineering techniques to gain access to systems and networks for the sole purpose of leaking sensitive information. Their motives are varied and can include anything from trying to gain a competitive advantage to gaining information they can use to later carry out attacks for financial gain.
Although APT attacks can be difficult to attribute, data theft can still be detected. Unfortunately, sometimes, data theft may be the only clear indicator an organization has to lean on when they are under a cyber attack. There are two ways that your organization can recognize APTs in their networks and systems:
- APT attacks are often carried out in multiple phases, reflecting the same sequence of gaining access and maintaining access. They will also attempt to remain undetected in their victim’s network until their goals are accomplished.
- APTs establish multiple points of compromise. They will attempt establish several entry points to their targeted networks – enabling them to retain access even after malicious activity is noticed and incident response is triggered.
Your organization can detect advanced persistent threats by remembering the following:
- Unusual account activity needs to be investigated immediately.
- APTs use Trojan horse malware as a backdoor.
- Odd database activity, for example a spike in database operations involving increased data reads, should be investigated immediately.
- Unusual data files can indicate data that has been bundled into files to assist with exfiltration.
Bronze Mohawk’s espionage activities targeting the U.S. and Western Europe are concerning. Although the threat actor has not made any large waves recently, the fact that they have access to remote access Trojans, such as ShadowPad, is enough to stay guarded. If you implement cyber security best practices and remain alert, then you can help keep your organization safe from APTs like Bronze Mohawk.
How Avertium is Protecting Our CUSTOMERS
Once an APT like Bronze Mohawk (APT40) is inside a network, it can give them unlimited access to do further reconnaissance. Chinese APTs are some of the world’s oldest and most skilled when it comes to cyber espionage. Avertium is here to keep your organization safe and to mitigate any attacks caused by Chinese APTs like Bronze Mohawk:
- To identify the source of your breach and the scope that it reached; you’ll want to include Avertium’s DFIR (Digital Forensics and Incident Response) services in your protection plan. We offer DFIR to mitigate damage from a successful breach. This service is provided as an on-demand crisis response service, as well as retainer-based program.
- Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
- MDR provides an in-depth investigation into potential threats on an organization’s network. Avertium’s risk-based approach to managed security delivers the right combination of technology, field-validated threat intelligence, and resource empowerment to reduce complexity, streamline operations, and enhance cybersecurity resilience. If you need a more advanced security solution, MDR is the next step. MDR is an outsourced security control solution that includes the elements of EDR, enhanced with a range of fundamental security processes.
- Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
Avertium recommends the following recommendations issued by CISA:
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up to date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
[T1583.001] Acquire Infrastructure: Domains
[T1585.002] Establish Accounts: Email Accounts
[T1585.001] Establish Accounts: Social Media Accounts
[T1133] External Remote Services
[T1566.001] Phishing: Spearphishing Attachment
[T1566.002] Phishing: Spearphishing Link
[T1190] Exploit Public-Facing Application
Indicators of Compromise (IoCs)
Bronze Mohawk (APT40)
Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department | CISA
MAR-10331466-1.v1: China Chopper Webshell | CISA
Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: China Chopper still active 9 years later
What is advanced persistent threat (APT)? Definition from SearchSecurity (techtarget.com)
APT40: Examining a China-Nexus Espionage Actor | Mandiant
US indicts four members of Chinese hacking group APT40 - The Record by Recorded Future
ShadowPad Malware Analysis | Secureworks
HainanXiandun – Intrusion Truth (wordpress.com)
Leviathan: Espionage actor spearphishes maritime and defense targets | Proofpoint US
Researchers Link ShadowPad Malware Attacks to Chinese Ministry and PLA (thehackernews.com)
APPENDIX II: Disclaimer
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.
READ OUR LATEST BLOG >>> THE ART AND SCIENCE OF THREAT HUNTING - A GUIDE TO PREVENTING CYBER ATTACKS
Learn what threat hunting is, what it has gained so much popularity, how your business can benefit from its true value, and more.