BRONZE SPIRAL
Intelligence Profile
In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally.
BRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.
Threat Analysis
BRONZE SPIRAL is a advanced-sophistication threat actor attributed to China, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, BRONZE SPIRAL likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.
Known Campaigns
BRONZE SPIRAL is a espionage threat actor attributed to China. In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BR...