Tonto Team

Threat Actors · Tonto Team

· ATT&CK GroupG0131

Earth AkhlutBRONZE HUNTLEYCactusPeteKarma Panda

Techniques

Software

Tactics

Aliases

Description

Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)

Tactic Coverage

execution (5)credential access (2)discovery (2)command and control (2)collection (1)privilege escalation (1)lateral movement (1)persistence (1)initial access (1)stealth (1)

Techniques Used (15)

T1003OS Credential Dumping

credential access

T1056.001Keylogging

collectioncredential access

T1059.001PowerShell

execution

T1059.006Python

execution

T1068Exploitation for Privilege Escalation

privilege escalation

Registration Required

Create a free account to access full Threat Actor Techniques

Showing 5 of 15 results

✓ Personal dashboard✓ Track 1 vendor/product✓ 1 keyword alert✓ Weekly digest✓ 1 CSV export/month

Already have an account? Sign in →

Software Used (6)

S0268Bisonalmalware S0349LaZagnetool S0002Mimikatztool S0590NBTscantool S0596ShadowPadmalware S0008gsecdumptool

References (16)

https://attack.mitre.org/groups/G0131 https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html https://web.archive.org/web/20210308054208/https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf?https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/https://www.secureworks.com/research/threat-profiles/bronze-huntley https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/