BRONZE VAPOR

BRONZE VAPOR is a targeted threat group that CTU researchers assess with moderate confidence is based in China. Artifacts from tools associated with this group and open-source reporting on related incidents indicate that BRONZE VAPOR has operated since at least 2017. The group conducts espionage against multiple industries, including semiconductors, aviation, and telecommunications. BRONZE VAPOR's intent appears to be information theft, focusing on intellectual property and personally identifiable information.

Prior to 2019, BRONZE VAPOR primarily focused on targets in East Asia, particularity semiconductor organizations in Taiwan. In 2021, open-source reporting described attacks on at least one European semiconductor company believed to date back to 2017. In 2019, BRONZE VAPOR attacked at least one European aviation organization. The group gains initial access via VPN services, may use spearphishing with 'Letter of Appointment' lures, and deploys Cobalt Strike along with custom data exfiltration tools. Post-intrusion activity involves 'living off the land' using legitimate tools and commands available within the compromised environment. The group also uses AceHash for credential harvesting, WATERCYCLE for data exfiltration, and STOCKPIPE for proxying information through Microsoft Exchange servers over email.

BRONZE VAPOR uses a set of tactics that are not individually unique but create a relatively distinct playbook when aggregated. Intrusions begin with credential-based attacks against an existing remote access solution (e.g., Citrix, VPN) or third-party network access. The threat actors deploy Cobalt Strike in the environment and use this access to move laterally. They then deploy Sharphound to map the victim's Active Directory infrastructure and collect critical information about the domain, including account names. Command and control infrastructure is hosted on subdomains of Azure and Appspot services to blend in with legitimate traffic. The threat actors also register their own domains for command and control, often using a "sync" or "update" theme. WinRAR is commonly used for compressing data prior to exfiltration. Filenames for these archives often involve a string of numbers and variations of the word "update". Data is exfiltrated using WATERCYCLE to cloud-based platforms such as OneDrive and GoogleDrive.