Cybersecurity Firm Group-IB Repeatedly Targeted by Chinese APT

Cybersecurity company Group-IB claims it was repeatedly targeted in the past years by a threat actor believed to be linked to the Chinese government.

In a blog post published on Monday, Group-IB said it was targeted by the advanced persistent threat (APT) group known as Tonto Team, Karma Panda, CactusPete, Bronze Huntley, Earth Akhlut and HeartBeat. 

The most recent attack was detected in June 2022, but an analysis revealed that Tonto Team also targeted the cybersecurity firm in 2021. The attack aimed at Group-IB involved emails carrying malicious attachments being sent to the company’s employees.

Tonto Team is believed to have been around since at least 2009, targeting military, diplomatic, and infrastructure entities in Asia and Eastern Europe. The cyberspies have often targeted Russian organizations, including government agencies.

Group-IB is based in Singapore, but it’s a Russian company at its heart. Last year, a few months after Russia launched its invasion of Ukraine, Group-IB announced that it would separate its Russian and international business into distinct companies. 

The June 2022 attack attributed to Tonto Team was detected by Group-IB’s solutions before the malicious emails were delivered to employees. The phishing emails, written in Russian, contained malicious Office documents created with a tool named Royal Road Weaponizer, which has widely been used by Chinese state-sponsored threat actors to deliver exploits.

An analysis of the incident revealed that the hackers attempted to use the Bisonal.DoubleT backdoor, which appears to be exclusively used by Tonto Team. 

The cybersecurity firm checked its logs and found evidence of another email attack likely carried out by the same Chinese group exactly one year earlier. 

Group-IB also pointed out that Tonto Team was previously observed by ESET attacking an Eastern European consulting company specializing in software development and cybersecurity. 

“The main goal of Chinese APTs are espionage and intellectual property theft. Undoubtedly, Tonto Team will keep probing IT and cybersecurity companies by leveraging spear phishing to deliver malicious documents using vulnerabilities with decoys specially prepared for this purpose,” Group-IB said.

“Successful supply chain attacks against IT and cybersecurity companies give attackers access to a large number of victims’ customers and partners,” it added.

Related: Chinese APT ‘Bronze Starlight’ Uses Ransomware to Disguise Cyberespionage

Related: Belgium Says Chinese APTs Targeted Interior, Defense Ministries

Related: Play Ransomware Group Claims Attack on A10 Networks