Chinese Threat Group Leaks Hacking Secrets in Failed AttackThe Tonto Team Used Spear-Phishing Emails to Target Group-IB Employees
An intercepted spear-phishing email reveals hacking techniques of the Chinese state-sponsored espionage threat actor known as Tonto Team, says analysis from threat intelligence firm Group-IB.
The security firm says a July 2022 Russian-language spear-phishing attempt on its own employees came from the Chinese threat actor, which historically targeted South Korea, Japan, Taiwan and the United States but expanded operations to include additional Asian and Eastern European countries.
Unclassified analysis by the U.S.-China Economic and Security Review Commission finds that Tonto Team may be a unit of the People's Liberation Army that on 2017 reportedly hacked several South Korean entities involved in deploying an American-made anti-ballistic missile defense system. Cybersecurity firm Eset in 2021 spotted it participating in the flood of Chinese state-sponsored hackers taking advantage of serious vulnerabilities in Microsoft Exchange. Malwarebytes over the summer found the group ramping up spying operations against Russian government agencies.
No single factor led Group-1B to conclude its phishing attempt came from the Tonto Group, but clues began to pile up. The decoy document attached to the phishing email contained metadata revealing the default language as "Chinese People's Republic of China." The attachment was a rich text format file created with the Royal Road RTF Weaponizer - a malware tool "mainly used by Chinese APT groups."
The malicious payload was a remote access backdoor that Group-IB found had startling similarities to a backdoor analyzed in 2020 by Kaspersky and attributed to the same Chinese-speaking cyberespionage group. Kaspersky tracks Tonto Team as CactusPete.
The network infrastructure behind the malware used an IP address previously seen in Tonto Team attacks. Kaspersky stated in an earlier report that the threat group also uses Mimikatz variants and keyloggers to harvest credentials and privilege escalation malware to gain unauthorized access to protected data (see: Hacking Group Targets European Banks, Military).