Operation Bitter Biscuit

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
Operation Bitter Biscuit, as reported by AhnLab, was a malicious campaign executed by a threat actor known as the Tonto Team. This operation targeted entities in South Korea, Japan, India, and Russia, with the initial report being published in October 2017. The main tools used in this cyber-attack were Bisonal and its successors, Bioazih and Dexbia, which are types of Remote Access Trojans (RATs). These RATs enable hackers to control and manipulate victim systems from afar, thus posing significant security threats. By 2018, Operation Bitter Biscuit had escalated, focusing particularly on Korean and Japanese entities. In response, AhnLab released a detailed paper outlining the operation's tactics, techniques, and procedures. The attackers also incorporated a variant of the Bisonal RAT that was highly similar to a version previously used during the operation. This indicated a persistent and evolving threat from the same threat actor group. Furthermore, the threat actors utilized ShadowPad in their attacks. ShadowPad is an infamous backdoor that has been linked to several high-profile cyber espionage campaigns. Its use in conjunction with the Bisonal RAT variant heightened the severity and complexity of the Operation Bitter Biscuit. Overall, the operation demonstrated the Tonto Team's sophistication and adaptability, underlining the need for continuous vigilance and advanced defense strategies in cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BisonalUnspecified
1
Bisonal is a multifunctional malware that has been in use for over a decade by the Tonto Team, a Chinese government-aligned Advanced Persistent Threat (APT) group. This malicious software is known for its extensive capabilities including process and file information harvesting, command and file exec
ShadowPadUnspecified
1
ShadowPad is a modular backdoor malware that has been utilized by several Chinese threat groups since at least 2017. Notably, it was used as the payload in supply chain attacks targeting South Asian governments, as reported in the VB2023 paper. ShadowPad provides near-administrative capabilities in
BioazihUnspecified
1
None
DexbiaUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Tonto TeamUnspecified
1
Tonto Team is a Chinese government-aligned Advanced Persistent Threat (APT) group, recognized for its malicious cyber activities. The team has been active for over a decade, utilizing various types of malware, notably the Bisonal and ShadowPad backdoors, in campaigns against entities in Japan, Russi
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Operation Bitter Biscuit Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Exchange servers under siege from at least 10 APT groups | WeLiveSecurity
MITRE
a year ago
Bisonal Malware Used in Attacks Against Russia and South Korea
MITRE
a year ago
Bisonal: 10 years of play