Description
[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://attack.mitre.org/groups/G0131) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)
Techniques Used (TTPs)
- T1135 — Network Share Discovery (discovery)
- T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
- T1090.002 — External Proxy (command-and-control)
- T1059.006 — Python (execution)
- T1069.001 — Local Groups (discovery)
- T1056.001 — Keylogging (collection, credential-access)
- T1003 — OS Credential Dumping (credential-access)
- T1505.003 — Web Shell (persistence)
- T1203 — Exploitation for Client Execution (execution)
- T1204.002 — Malicious File (execution)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1210 — Exploitation of Remote Services (lateral-movement)
- T1059.001 — PowerShell (execution)
- T1068 — Exploitation for Privilege Escalation (privilege-escalation)
- T1105 — Ingress Tool Transfer (command-and-control)
Total TTPs: 15