CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT

Cybersecurity company Group-IB claims it was repeatedly targeted by a Chinese APT called Tonto Team, CactusPete, and Karma Panda.

Cybersecurity company Group-IB claims it was repeatedly targeted in the past years by a threat actor believed to be linked to the Chinese government.

In a blog post published on Monday, Group-IB said it was targeted by the advanced persistent threat (APT) group known as Tonto Team, Karma Panda, CactusPete, Bronze Huntley, Earth Akhlut and HeartBeat. 

The most recent attack was detected in June 2022, but an analysis revealed that Tonto Team also targeted the cybersecurity firm in 2021. The attack aimed at Group-IB involved emails carrying malicious attachments being sent to the company’s employees.

Tonto Team is believed to have been around since at least 2009, targeting military, diplomatic, and infrastructure entities in Asia and Eastern Europe. The cyberspies have often targeted Russian organizations, including government agencies.

Group-IB is based in Singapore, but it’s a Russian company at its heart. Last year, a few months after Russia launched its invasion of Ukraine, Group-IB announced that it would separate its Russian and international business into distinct companies. 

The June 2022 attack attributed to Tonto Team was detected by Group-IB’s solutions before the malicious emails were delivered to employees. The phishing emails, written in Russian, contained malicious Office documents created with a tool named Royal Road Weaponizer, which has widely been used by Chinese state-sponsored threat actors to deliver exploits.

An analysis of the incident revealed that the hackers attempted to use the Bisonal.DoubleT backdoor, which appears to be exclusively used by Tonto Team. 

The cybersecurity firm checked its logs and found evidence of another email attack likely carried out by the same Chinese group exactly one year earlier. 

Advertisement. Scroll to continue reading.

Group-IB also pointed out that Tonto Team was previously observed by ESET attacking an Eastern European consulting company specializing in software development and cybersecurity. 

“The main goal of Chinese APTs are espionage and intellectual property theft. Undoubtedly, Tonto Team will keep probing IT and cybersecurity companies by leveraging spear phishing to deliver malicious documents using vulnerabilities with decoys specially prepared for this purpose,” Group-IB said.

“Successful supply chain attacks against IT and cybersecurity companies give attackers access to a large number of victims’ customers and partners,” it added.

Related: Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage

Related: Belgium Says Chinese APTs Targeted Interior, Defense Ministries

Related: Play Ransomware Group Claims Attack on A10 Networks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.