A hacking group with suspected ties to the Chinese government is targeting government officials in several countries with malware that can log keystrokes and capture screen images, according to a cybersecurity vendor.
The hacking group, called Bronze President or Mustang Panda, is using a version of PlugX, a 14-year-old piece of malware, to target government officials in Europe, the Middle East, and South America, said researchers with Secureworks.
The malware can be distributed by email and is buried deep in a Windows subfolder when installed, the company said. In addition, Bronze President appears to also be staging the malware on Google Drive and sending targeted victims links to the file, said Don Smith, vice president of threat intelligence for the Secureworks Counter Threat Unit.
“In both scenarios, the attacker relies on duping the recipient into running the malware,” Smith told the Washington Examiner.
The hacking group, allegedly sponsored by the Chinese government, appears to be looking for political documents and is focused on intelligence collection, Secureworks researchers wrote in a blog post. “The threat group consistently targets China’s neighbors such as Myanmar and Vietnam,” they added. “However, its collection requirements can change quickly and are often driven by geopolitical events such as the war in Ukraine.”
Secureworks recommended that organizations, particularly government agencies, in “geographic regions of interest to China” should closely monitor Bronze President’s activities.
It’s unclear how closely Bronze President is tied to the Chinese government, but there appears to be a strong link, said Sanjay Raja, vice president of product marketing and solutions at cybersecurity vendor Gurucul.
It’s a hacking group with either “direct ties or at least authorization to operate by the Chinese government,” Raja told the Washington Examiner. “As with many state-sponsored threat actor groups, there are gray lines between whether they are a direct arm, staffed partially, staffed by previous employees, contracted out by, or tolerated by government officials.”
In some cases, the attackers may be looking for human intelligence that can be used to recruit would-be spies for the Chinese government, said Lionel Sigal, head of cyber threat intelligence at cybersecurity firm CYE. In other cases, the hackers may be gathering information that can later be used for extortion, humiliation, or creating fear in the victim, he added. For example, Iranian hackers recently published the medical records of the head of Israel’s Mossad intelligence agency.
PlugX, meanwhile, is often distributed through phishing campaigns, Raja said. Once activated on a victim’s computer, it can be used to hijack programs there.
In the past, Bronze President has focused on gathering intelligence about China’s neighbors, including Mongolia and Myanmar, noted Anurag Gurtu, chief product officer of StrikeReady, a cybersecurity vendor. It has used a variety of malware tools in the past.
The group’s targets tend to be any organization that Chinese intelligence believes is an important target, Raja said. Bronze President “simply has to get a well-crafted phishing email executed by an unsuspecting user, and they are off to the races,” Raja said. “This puts the burden on security teams with having to detect, investigate, and validate the attack as soon as possible before data is identified and exfiltrated and … stop the siphoning of information as quickly as possible.”
To protect themselves, organizations should deploy sophisticated cybersecurity tools, Gurtu told the Washington Examiner.
“In order to quickly assess their security gaps and apply mitigations, organizations should subscribe to services or technologies that offer attack campaign detection and breach simulation and assessment capabilities,” he said. “Employees should also be trained to refrain from opening suspicious emails and keep their systems updated.”