Skip to content

G0131 Tonto Team

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).123456

Item Value
ID G0131
Associated Names Earth Akhlut, BRONZE HUNTLEY, CactusPete, Karma Panda
Version 1.1
Created 05 May 2021
Last Modified 27 January 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Earth Akhlut 8
BRONZE HUNTLEY 9
CactusPete 1
Karma Panda 110

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Tonto Team has used PowerShell to download additional payloads.2
enterprise T1059.006 Python Tonto Team has used Python-based tools for execution.8
enterprise T1203 Exploitation for Client Execution Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads.1876
enterprise T1068 Exploitation for Privilege Escalation Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges.8
enterprise T1210 Exploitation of Remote Services Tonto Team has used EternalBlue exploits for lateral movement.8
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.2
enterprise T1105 Ingress Tool Transfer Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Tonto Team has used keylogging tools in their operations.8
enterprise T1135 Network Share Discovery Tonto Team has used tools such as NBTscan to enumerate network shares.8
enterprise T1003 OS Credential Dumping Tonto Team has used a variety of credential dumping tools.8
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Tonto Team has used the ShowLocalGroupDetails command to identify administrator, user, and guest accounts on a compromised host.8
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Tonto Team has delivered payloads via spearphishing attachments.8
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy Tonto Team has routed their traffic through an external server in order to obfuscate their location.8
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Tonto Team has relied on user interaction to open their malicious RTF documents.87

Software

ID Name References Techniques
S0268 Bisonal 197 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Dynamic Resolution Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Masquerading Modify Registry Native API Non-Application Layer Protocol Software Packing:Obfuscated Files or Information Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Add-ins:Office Application Startup Spearphishing Attachment:Phishing Process Discovery Proxy Query Registry Rundll32:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Time Discovery Malicious File:User Execution Time Based Evasion:Virtualization/Sandbox Evasion Virtualization/Sandbox Evasion
S0008 gsecdump 8 LSA Secrets:OS Credential Dumping Security Account Manager:OS Credential Dumping
S0349 LaZagne 8 Keychain:Credentials from Password Stores Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores /etc/passwd and /etc/shadow:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Proc Filesystem:OS Credential Dumping Cached Domain Credentials:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0002 Mimikatz 1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0590 NBTscan 8 Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0596 ShadowPad 1 File Transfer Protocols:Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Non-Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Indicator Removal Ingress Tool Transfer Modify Registry Non-Application Layer Protocol Fileless Storage:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Process Injection Dynamic-link Library Injection:Process Injection Scheduled Transfer System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery

References

  1. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. 

  2. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021. 

  3. Nalani Fraser, Kelli Vanderlee. (2019, October 10). Achievement Unlocked - Chinese Cyber Espionage Evolves to Support Higher Level Missions. Retrieved October 17, 2021. 

  4. Sean Gallagher. (2017, April 21). Researchers claim China trying to hack South Korea missile defense efforts. Retrieved October 17, 2021. 

  5. Roland Dela Paz. (2003, January 3). The HeartBeat APT Campaign. Retrieved October 17, 2021. 

  6. Warren Mercer, Paul Rascagneres, Vitor Ventura. (2020, March 6). Bisonal 10 Years of Play. Retrieved October 17, 2021. 

  7. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. 

  8. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. 

  9. Secureworks. (2021, January 1). BRONZE HUNTLEY Threat Profile. Retrieved May 5, 2021. 

  10. Falcon OverWatch Team. (2020, July 14). Manufacturing Industry in the Adversaries’ Crosshairs. Retrieved October 17, 2021.