Chinese Tonto APT team steps up spy operations against Russia

Representing a significant increase in activity, a China-linked campaign began targeting Russia-linked organizations in June with malware designed to gather intelligence on government activities, according to analyzes by security firms and the Ukrainian Computer Emergency Response Team (CERT).

The attacks use purported government notices sent as Rich Text Files (RTFs) to attempt to convince victims to open the documents, allowing a Remote Code Execution (RCE) exploit to be executed in Microsoft Office. That’s according to endpoint security firm SentinelOne, which said in an analysis released Thursday that the contents of the documents appear to be security warnings written in Russian. They claim to warn agencies and infrastructure providers of potential attacks and inform them of compliance requirements under Russian law.

Escalation of cyberattacks against Russia

While China has targeted Russia in the past, and vice versa, the pace of attacks — especially by alleged threat actor Tonto Team — increased after Russia’s invasion of Ukraine, says lead researcher Tom Hegel about threats at SentinelOne.

“Tonto Team, like other Chinese players, has been targeting Russia for a long time,” he says. “What we’re seeing here is a potential increase in the Chinese government’s demands for intelligence gathering from inside Russia. Perhaps an increased prioritization or expansion of resources assigned to such tasks.”

The reported increase in Chinese cyber operations comes as Russia has strengthened diplomatic ties with China in the face of sanctions from Western countries. Although the two great nations are not formal allies, they have expanded trade and defense ties over the past decade to thwart expanding Western alliances.

Delivery time of malicious documents in the latest Tonto Team attacks. Source: Sentinel One

Furthermore, they have different approaches to pursuing their foreign policy goals. Russia has tacitly allowed cyber criminal gangs to operate on its territory and has also widely used cyber operations to steal intelligence and attack infrastructure, as well as a complement to military operations. For example, Russia has used disinformation campaigns, infrastructure attacks and espionage operations in its conflict with Ukraine.

China, which has benefited greatly from economic relations with Western nations, has mainly pursued non-military approaches to international relations and used cyber operations to acquire intellectual property and conduct espionage operations. Treating Russia like any other adversary shows consistency, says SentinelOne’s Hegel.

It’s “just China coping in these uncertain times,” he says. “Like any nation with sufficient resources, they seek to support their own agenda through cyber, and the situation in Russia may be adjusting exactly what they prioritize.”

Technical breadcrumb points to China

Recent campaigns have used two Chinese Advanced Persistent Threat (APT)-related malware: a toolkit used to create malicious documents known as Royal Road and a Custom Remote Access Trojan (RAT) known under the name Bisonal used by Chinese actors. The Tonto team – also known as Karma Panda and Bronze Huntley – has traditionally focused on other Asian countries, such as South Korea and Japan, as well as the United States and Taiwan. Recently, the group has expanded its operations to Russia, Pakistan and other countries.

While false flag operations, where an adversary attempts to disguise their operations as another attacker, have occurred, various evidence links the attacks to China.

At least seven threat groups – all linked to China – are using Royal Road to create malicious documents as part of the initial attack to gain access to targeted systems. In April, for example, cyber-threat intelligence firm DomainTools analyzed a document created with the Royal Road malware-building toolkit that had characteristics of a Chinese espionage campaign and targeted a Russian research organization. submarine and weapons development.

“Combined with the sensitive targeting and ultimate payload hardening attempts, it appears the adversary has gone to great lengths to evade analysis of its activity as well,” the analysis reads. “While this campaign appears to be specifically targeted at an entity in the Russian Federation, the underlying behaviors of this campaign – from the use of malicious documents to binary execution safeguards and checks – provide useful insights into adversary trades from which all defenders can learn valuable lessons.”

Additionally, Bisonal is used exclusively by Chinese groups, according to reviews.

Businesses should take note that nation-state attacks can often affect private businesses. The SentinelOne advisory contains indicators of compromise (IoCs) for the latest campaigns, and DomainTools highlights various countermeasures to detect and mitigate cyber espionage attacks.

Organizations should use intelligence to verify their own defenses against similar attacks, says SentinelOne’s Hegel.

“Targets of espionage or disruption in today’s world are not insulated from government networks, but may spill over or directly affect private companies simply because of their stance on a political issue or their location. operation,” he said. “As we observed when Ukraine was invaded, things can change overnight – so CISOs need to remain aware of this activity as we continue to live with such geopolitical tension.”

Comments are closed.