← threatfilter.dev / all groups / Tonto Team
Tonto Team
Also known as: Earth Akhlut · BRONZE HUNTLEY · CactusPete · Karma Panda
Overview
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).
Targets
Government · Military · Private sector
Regions
Eastern Europe · Japan · South Korea · Taiwan · United States
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
TTPs — 15 techniques across 10 tactics
Initial Access
-
T1566.001Spearphishing Attachment
Execution
-
T1059.001PowerShell -
T1059.006Python -
T1203Exploitation for Client Execution -
T1204.002Malicious File
Persistence
-
T1505.003Web Shell
Privilege Escalation
Stealth
-
T1574.001DLL
Credential Access
-
T1003OS Credential Dumping
Discovery
-
T1069.001Local Groups -
T1135Network Share Discovery
Lateral Movement
Collection
-
T1056.001Keylogging
Command and Control
-
T1090.002External Proxy -
T1105Ingress Tool Transfer
Tools & malware (6)
Mimikatz · Bisonal · ShadowPad · LaZagne · NBTscan · gsecdump
Reporting (3)
- Exchange servers under siege from at least 10 APT groups — Faou, M., Tartare, M., Dupuy, T
- BRONZE HUNTLEY Threat Profile — Secureworks
- Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure — Daniel Lughi, Jaromir Horejsi