Bronze President APT Shifts Focus to Russian Targets

Bronze President is the name of an advanced persistent threat actor associated with China. According to security researchers, the hacking group which traditionally specializes in cyber espionage has now shifted its focus of attention from the West to Russia, as the war in Ukraine goes on and threatens to spread into the territory of neighboring Moldova.

Who is Bronze President?

Bronze President is a Chinese-speaking advanced persistent threat actor. The consensus among security experts and analysts is that the entity, also known under the aliases TA416 and Mustang Panda, is either directly funded by the Chinese government or at the very least known to the authorities and "tolerated". Active over the last 4 years, Bronze President has a reputation for attacking non-government organizations and entities in western countries and certain Asian states too.

Over the recent weeks, researchers with Secureworks' Counter Threat Unit have noticed that the Bronze President group is now redirecting its efforts to target Russian-speaking territories and entities. This is not the first time the hacker outfit has pulled off attacks on Russian targets, but it is a meaningful switch from the group's recent campaigns that were mostly focused on targets located in Southeast Asia.

In addition to Russian targets, researchers believe the Chinese hacker collective is now probing entities located in other European countries too. This switch led the researcher and analyst teams to think that this was an orchestrated and purposeful move that matches the intelligence collection needs of the Chinese government.

Payload used in recent campaign

According to the Secureworks team, this shift in general direction and focus might indicate an attempt on part of China to "deploy advanced malware" on systems that belong to Russian official figures. Russian military systems are another suspected target. The research team found and analyzed a malicious executable named "Blagoveshchensk - Blagoveshchensk Border Detachment.exe". The executable was posing as a PDF file with a changed file icon. Upon execution, the file runs a downloader for the PlugX remote access trojan.

To mask the underlying malicious activity, the fake PDF does open an Adobe document that contains English-language information about the sanctions imposed by the European Union on Russia as a result of the war in Ukraine.

The Bronze President threat actor uses a wide range of other tools, ranging from the ever-popular Cobalt Strike to other backdoor malware.

This switch on part of the Chinese threat actor comes together with the news that Chinese drone manufacturer DJI has discontinued sales of its products in both Ukraine and Russia.