Bronze Light Threat Group in Action

A China-linked state-sponsored hacking group was observed deploying various ransomware families to hide the true intent of its attacks.

The threat group dubbed Bronze light started using the HUI Loader to drop ransomware such as AtomSilo, LockFile, Night Sky, Pandora, and Rook.

The TTPs used and the tools used by the group forced the researchers believe that Bronze Starlight is likely interested in cyberespionage and intellectual property (IP) theft rather than financial gain.

Advertisements

Earlier since 2015, HUI Loader has been used for the delivery of remote access trojans (RATs) and other types of malware, including Cobalt Strike, QuasarRAT, PlugX, and SodaMaster.

Starting in 2021, the loader has been used in campaigns focused on intellectual property theft, with two distinct clusters of activity identified: Bronze Riverside (APT10), which has been focusing on compromising Japanese organizations, and Bronze Starlight, which employs ransomware to distract incident responders and likely to destroy evidence of intrusion.

Researchers analyzed the five ransomware families which were linked to HUI Loader samples that used to deploy Cobalt Strike Beacon and discovered that they were built from two distinct codebases: an early one for AtomSilo and LockFile, and a more recent Babuk ransomware source code leak – for Night Sky, Pandora, and Rook.

The same network had been compromised by both Bronze Starlight and Bronze University, which deployed the ShadowPad malware. The intrusions started in November 2021 and overlapped for several weeks.

The simultaneous and continued operations by another Chinese threat group on the same network suggests that the two groups may have deconflicted their post-intrusion activity. This scenario assumes collaboration and knowledge sharing between the groups.