TontoTeam (hacker group)

History

2022: Group-IB says Chinese hackers attack Russian IT companies

On February 13, 2023, a Russian company Group-IB specializing in the development of information security technologies announced an attack the Chinese hackers on the IT sector of the Russian Federation and spoke about the scheme used by attackers in their attacks.

The incident dates back to June 2022. Then the Group-IB Managed XDR system issued an alert about the blocking of malicious letters that came to two employees of the company. In addition to Group-IB, the recipients included several dozen leading IT and information security companies - all goals were in Russia. For malicious mailing, attackers used fake mail registered with the popular free mail service GMX Mail (Global Message eXchange). However, the correspondence itself was conducted on behalf of a real employee of the information security company, who allegedly sent a "meeting protocol" discussing the security of the cloud infrastructure.

Russian company Group-IB announced an attack by Chinese hackers on the IT sector of the Russian Federation

During the study, Group-IB Threat Intelligence specialists received several evidence of involvement in this attack by the Chinese pro-state group TontoTeam (aka HeartBeat, Karma Panda, CactusPete, Bronze Huntley, Earth Akhlut).

Hackers used phishing emails to deliver Microsoft Office documents that were created in the Royal Road Weaponizer's malicious RTF exploit linker. The tool has long been actively used by Chinese pro-state groups, Group-IB said.

During the attack, the Bisonal.DoubleT backdoor was discovered. This tool is a unique development of the Chinese pro-state group Tonto Team and has been used by hackers since at least 2019. In addition, the attackers used a new bootloader, which Group-IB called TontoTeam.Downloader (aka QuickMute).^[1]

Notes