Inside a Chinese APT’s very flexible playbook

New research from Dell Secureworks is a reminder that adversaries will sooner dust off and refashion old tools than build new ones.
China, flag
(Getty images)

A maxim of cybersecurity holds that hackers will exert just enough resources to compromise a network or avoid detection. Why deploy new, top-shelf tools when you can just refashion old ones?

The strategy is on full display in research on a Chinese government-linked hacking group that Dell Technologies’ Secureworks published Wednesday. The hackers — categorized as an advanced persistent threat by researchers and usually labeled APT27 or Bronze Union — dusted off and upgraded a couple of long-available digital weapons to carry out intrusions in 2018, the report said.

“The threat actors have access to a wide range of tools, so they can operate flexibly and select tools appropriate for intrusion challenges,” the research says.

One remote access trojan (RAT) was developed over a decade ago, but Bronze Union added a packet redirection tool and digital certificates signed by two Chinese technology companies before deploying it last year, according to the research. The group also modified the well-known Gh0st RAT and used it on multiple systems to achieve its objective within a breached environment, Secureworks said.


“The fact that Secureworks observes the use of these tools nearly 13 years later by Bronze Union speaks to the effectiveness of this threat group,” Matthew Webster, senior security researcher at Secureworks Counter Threat Unit, told CyberScoop.

Bronze Union, the researchers said, was “one of the most prolific and active” hacking outfits they tracked in 2017 and 2018. In 2017, the group broke into a Mongolian national data center, allowing the hackers to plant malware on Mongolian government websites, CyberScoop has reported. And in the last three years, the group has targeted the networks of political, humanitarian, technology and manufacturing organizations, according to Secureworks.

The determination and ability to maintain prolonged access to a victim network is typical of hackers on a well-funded mission.

“After accessing a network, the threat actors are adept at circumventing common security controls, escalating privileges, and maintaining their access to high-value systems over long periods of time,” the Secureworks research says.

The report comes as the Trump administration has pressured China to curtail its alleged hacking for economic gain through a series of indictments and public condemnations. U.S. officials earlier this month warned companies about how another Chinese hacking group, known as APT10, has evolved in its alleged efforts to steal corporate data.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts