In June 2022, the advanced persistent threat (APT) group known as Tonto Team attempted to breach the cybersecurity firm Group-IB, although the attack was thwarted. Based in Singapore, Group-IB reported that it successfully detected and blocked a wave of phishing emails aimed at its employees, marking the second attempt on the company following an earlier incident in March 2021.
Tonto Team, which is also known by various aliases including Bronze Huntley and Karma Panda, is believed to be a Chinese hacking collective linked to a broad spectrum of cyber incidents across Asia and Eastern Europe. Since at least 2009, this group has allegedly maintained associations with elements of the Chinese military, specifically the Third Department of the People’s Liberation Army.
The attack utilized spear-phishing techniques, featuring malicious email attachments crafted with the Royal Road Rich Text Format (RTF) exploitation toolkit to deploy backdoors such as Bisonal and Dexbia. This method underscores the group’s strategic focus on leveraging legitimate corporate email addresses—often obtained through prior phishing—to enhance the success rate of their assaults, a trend noted by Trend Micro in their 2020 analysis.
In their previous exploits, Tonto Team has shown a capacity to capitalize on vulnerabilities like the ProxyLogon flaws within Microsoft Exchange Server, targeting cybersecurity firms and procurement companies primarily situated in Eastern Europe. The group’s activities intensified around the time of the Russian military invasion of Ukraine, where they directed their efforts at Russian scientific and governmental institutions, employing the Bisonal malware to facilitate intrusions.
The recent attempt against Group-IB mirrored these strategies, employing both the Royal Road weaponizer and malicious Office documents to deploy malware. Researchers highlighted that Bisonal grants the attacker remote access to compromised machines, allowing them to execute a range of commands undetected. Additionally, a previously unreported downloader named QuickMute was identified as instrumental in fetching further malware from an external server.
According to cybersecurity experts, the primary motives driving actions by Chinese APTs like Tonto Team revolve around espionage and intellectual property theft. The group is expected to continue probing the defenses of IT and cybersecurity companies, employing refined spear-phishing tactics and tailored documents to exploit known vulnerabilities efficiently.
As these attack vectors evolve, business owners must stay vigilant and proactive in their cybersecurity strategies, utilizing the MITRE ATT&CK framework to understand potential adversary tactics and defenses effectively. Through this lens, techniques such as initial access, persistence, and privilege escalation provide critical insights into how threats like Tonto Team might operate, underscoring the need for comprehensive security measures within organizations.
