China's Tonto Team APT Ramps Up Spy Operations Against Russia

In a significant spike of activity, the state-sponsored group is going after intelligence on Russian government agencies.

4 Min Read
Chinese flag
Source: Pixels Hunter via Alamy Stock Photo

Representing a significant increase in activity, a campaign linked to China started targeting Russia-linked organizations in June with malware designed to collect intelligence on government activities, according to analyses by security firms and Ukraine's Computer Emergency Response Team (CERT). 

The attacks use purported government advisories sent as Rich Text Files (RTFs) in an attempt to convince victims to open the documents, thus allowing a remote code execution (RCE) exploit in Microsoft Office to be run. That's according to endpoint security firm SentinelOne, which stated in an analysis published on Thursday that the contents of the documents appear as security warnings written in Russian. They claim to warn agencies and infrastructure providers of potential attacks and advise them of compliance requirements under Russian law.

Escalating Cyberattacks Against Russia

While China has targeted Russia in the past, and vice versa, the pace of attacks — especially by the purported threat actor, Tonto Team — has grown following the Russian invasion of Ukraine, says Tom Hegel, a senior threat researcher at SentinelOne.

"Tonto Team, like other Chinese actors, has a long history of targeting Russia," he says. "What we're seeing here is a potential Chinese government increase in intelligence collection requirements from inside Russia. Perhaps an increased prioritization or expansion of resources assigned to such tasking."

The reported increase in Chinese cyber operations comes as Russia has strengthened diplomatic relations with China in the face of sanctions from Western nations. While the two major nations are not formal allies, they have expanded trade and defense ties over the past decade as a way to foil the expansion of Western alliances.

Delivery timing of the malicious documents in latest Tonto Team attacks.

In addition, they have different approaches to pursuing their foreign policy goals. Russia has tacitly allowed cybercriminal gangs to operate in its territory and has also widely used cyber operations to steal intelligence and attack infrastructure, as well as an adjunct to military operations. For example, Russia has used disinformation campaigns, infrastructure attacks, and espionage operations in its conflict with Ukraine.

China, which has profited significantly from economic relations with Western nations, has mainly pursued non-military approaches to international relations and used cyber operations for acquiring intellectual property and conducting espionage. Treating Russia as any other adversary just shows consistency, says SentinelOne's Hegel.

This is "simply China looking out for itself in uncertain times," he says. "Like any well-resourced nation, they seek to support their own agenda through cyber, and the state of affairs in Russia may be adjusting just what they prioritize."

The recent campaigns have used two pieces of malware linked to Chinese advanced persistent threats (APTs): a toolkit used to build malicious documents known as Royal Road and a custom remote access Trojan (RAT) known as Bisonal used by Chinese actors. The Tonto Team — also known as Karma Panda and Bronze Huntley — traditionally has focused on other Asian nations, such as South Korea and Japan, as well as the United States and Taiwan. Recently, the group has increased its operations to Russia, Pakistan, and other nations.

While false flag operations, where one adversary attempts to disguise their operations as another attacker, have happened, a variety of evidence links the attacks to China.

At least seven threat groups — all linked to China — use Royal Road to create malicious documents as part of the initial attack aimed at gaining access to targeted systems. In April, for example, cyberthreat intelligence firm DomainTools analyzed an document created with the Royal Road malware building toolkit that had the hallmarks of a Chinese espionage campaign and targeted a Russian underwater research and weapons development organization.

"Combined with the sensitive targeting and the attempts at hardening the ultimate payload, it appears the adversary went to some effort to evade analysis of their activity as well," the analysis stated. "Although this campaign appears specifically targeted to an entity in the Russian Federation, the underlying behaviors of this campaign — from malicious document usage through binary execution guardrails and controls — provide helpful insight into adversary tradecraft from which all defenders can learn valuable lessons."

In addition, Bisonal is used exclusively by Chinese groups, according to the advisories.

Companies should take note that nation-state attacks can often affect private businesses. The SentinelOne advisory has indicators of compromise (IoCs) for the latest campaigns, and DomainTools highlights various countermeasures for detecting and blunting cyber-espionage attacks.

Organizations should use the intelligence to check their own defenses against similar attacks, says SentinelOne's Hegel.

"Targets of espionage or disruption in today's world are not isolated to government networks but can overflow or directly hit private business simply because of their stance on a political issue or where they operate," he says. "As we observed when Ukraine was invaded, things can shift overnight — so CISOs should remain aware of this activity as we continue to live with such geopolitical tension."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights