Story image

Chinese 'Bronze Butler' group suspected of stealing IP from Japan

17 Oct 17

A cyber espionage group dubbed ‘BRONZE BUTLER’ or ‘Tick’ may be operating out of the People’s Republic of China (PRC) in order to steal data and intellectual property from organisations and enterprises in Japan.

SecureWorks Counter Threat Unit researchers and incident responders have been following the group’s activities between 2012-2017.

They discovered that Bronze Butler’s operations suggest a long-standing intent to steal information from Japanese organisations, with a heavy focus on the critical infrastructure, heavy industry, manufacturing and international relations networks.

The group has used a combination of spearphishing, strategic web compromises and the exploitation of a zero-day vulnerability to compromise the systems it targets. Because their command and control servers are encrypted, network defenders have faced challenges in stopping the threats.

The spearphishing emails and strategic web compromises (SWCs) are used to compromise target networks and are often conducted using Flash animation attachments and other Flash exploits for SWC attacks.

It has also used the CVE-2016-7836 vulnerability to take advantage of flaws in SKYSEA Client View, a popular IT asset management product in Japan. Bronze Butler may have been taking advantage of the vulnerability since at least June 2016.

When the group is successful in system infiltration, it deletes traces of its activities but still keeps access open for future possible investigation.

SecureWorks researchers say Bronze Butler has exfiltrated a number of different data categories: Intellectual property about technology and development; product specifications; business and sales information; network and system configuration files; email messages and meeting minutes.

They also believe the group is located in the People’s Republic of China because of three main pieces of evidence: The use of T-SMB Scan tools published on a Chinese Developer’s website; Chinese characters in the installation name of an early xxmm backdoor; a drop in the group’s activity during PRC national holidays; and links between the group’s hacking tool and PRC-based NCPH hacking group.

“PRC-based cyberespionage groups have historically sought intellectual property and economic intelligence from competing economies to deliver information which can provide a competitive advantage domestically. The demand for this type of intelligence gathering could be influenced by China’s ambitious economic growth goals,” researchers state.

CTU researchers recommend that organisations, particularly those whose assets and intellectual property could be valuable to BRONZE BUTLER, implement the following security practices:

  • Review proxy log settings to ensure they capture information such as HTTP parameters and User-Agents for future analysis. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity.
  • Use an advanced endpoint threat detection (AETD) solution to monitor activity on network endpoints. Install a background monitor tool (e.g., Sysmon) to log detailed Windows event information to assist with incident response.
  • Implement timely vulnerability patching and system updates. Update SKYSEA Client View implementations to the latest version as soon as possible.
  • Review network access control. In particular, review network access for use of mobile USB modems on corporate systems. Also implement strict security controls for privileged accounts such as Active Directory administrator to prevent access by an unauthorised user.
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.