Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Chinese Cyber-Espionage Group Targeted NGOs for Years

A cyber-espionage group supposedly linked to the Chinese government is targeting non-governmental organizations (NGOs) in South and East Asia, Secureworks has revealed.

A cyber-espionage group supposedly linked to the Chinese government is targeting non-governmental organizations (NGOs) in South and East Asia, Secureworks has revealed.

Referred to as BRONZE PRESIDENT, the group may have been active since at least 2014, also targeting political and law enforcement organizations and using both proprietary and publicly available tools to monitor the activity of targeted organizations, discredit their work, or steal their intellectual property.

The hackers use custom batch scripts to collect either specific file types or all files from a targeted NGO’s systems, as well as credentials from high-privilege network accounts and sensitive accounts, including social media and webmail.

Evidence suggests the group has been targeting political and law enforcement organizations in countries such as Mongolia and India. The hackers appear interested in national security, humanitarian, and law enforcement organizations in East, South, and Southeast Asia, Secureworks says.

BRONZE PRESIDENT targets NGOs that conduct research on issues relevant to China, the group’s infrastructure is linked to entities in China, a subset of the group’s operational infrastructure is linked to China-based Internet service providers, and the hackers leverage tools such as PlugX, which have historically been used by Chinese threat groups.

Although the group appears sponsored or at least tolerated by the Chinese government, its “systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups,” Secureworks researchers note.

On the compromised networks, the threat actor elevates privileges to admin level on all systems and installs remote access tools on most computers. The hackers are able to maintain access to the compromised networks for months or even years, the security researchers say.

BRONZE PRESIDENT is using a broad range of remote access tools, including some not previously seen by the researchers, but also widely available or modified open-source tools — either to hinder attribution or minimize the use of development resources.

Advertisement. Scroll to continue reading.

In addition to custom batch scripts, BRONZE PRESIDENT was observed using tools such as the Cobalt Strike penetration testing tool, the PlugX remote access trojan (RAT), ORat loader, the RCSession basic RAT, Nbtscan command-line tool, Nmap network scanning tool, and Wmiexec.

Other malware artifacts were found on systems compromised by the group, but there was no evidence that the hackers used the malware in their intrusions. One of these artifacts was related to the China Chopper malware, which was apparently installed on the compromised system in the timeframe that BRONZE PRESIDENT had access to that system.

Post-compromise tools observed on the hacked systems include a Powerview.ps1 (PowerShell-based module for network reconnaissance), PVE Find AD User (command-line tool to find login locations of Active Directory (AD) users), AdFind (command-line tool to conduct AD queries), NetSess (enumerates NetBIOS sessions), Netview (enumerates networks), and TeamViewer (remote control and desktop-sharing tool).

Some of the group’s command and control (C&C) servers were hosted on infrastructure owned by Dutch VPS provider Host Sailor, Hong Kong-based New World Telecoms, and Malaysia-based Shinjiru Technology.

On the compromised systems, BRONZE PRESIDENT targets specific data types (including doc, xls, xlsx, ppt, pptx, pdf, and txt) and uses custom batch scripts to create a list of files that are archived for exfiltration. One batch script can collect all files stored on a specific user’s desktop.

“BRONZE PRESIDENT has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession. The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences. It is likely that BRONZE PRESIDENT has additional unobserved operational tools and capabilities,” Secureworks concludes.

Related: Chinese Hackers Targeted International Aerospace Firms for Years

Related: Chinese Cyberspies Use New Malware to Intercept SMS Traffic at Mobile Operators

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.