Threat Actor Profile
High
APT
Description
Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. Tonto Team has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)
Confidence Score
Known Aliases
Tonto Team
Earth Akhlut
BRONZE HUNTLEY
CactusPete
Karma Panda
Tags
mitre-attack
stix-2.1
intrusion-set
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (15)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'aliases': ['Tonto Team',
'Earth Akhlut',
'BRONZE HUNTLEY',
'CactusPete',
'Karma Panda'],
'created': '2021-05-05T17:18:25.987Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '[Tonto Team](https://attack.mitre.org/groups/G0131) is a '
'suspected Chinese state-sponsored cyber espionage threat '
'group that has primarily targeted South Korea, Japan, Taiwan, '
'and the United States since at least 2009; by 2020 they '
'expanded operations to include other Asian as well as Eastern '
'European countries. [Tonto '
'Team](https://attack.mitre.org/groups/G0131) has targeted '
'government, military, energy, mining, financial, education, '
'healthcare, and technology organizations, including through '
'the Heartbeat Campaign (2009-2012) and Operation Bitter '
'Biscuit (2017).(Citation: Kaspersky CactusPete Aug '
'2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye '
'Chinese Espionage October 2019)(Citation: ARS Technica China '
'Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign '
'January 2013)(Citation: Talos Bisonal 10 Years March 2020)',
'external_references': [{'external_id': 'G0131',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/groups/G0131'},
{'description': '(Citation: Kaspersky CactusPete Aug '
'2020)',
'source_name': 'CactusPete'},
{'description': '(Citation: Kaspersky CactusPete Aug '
'2020)(Citation: CrowdStrike '
'Manufacturing Threat July 2020)',
'source_name': 'Karma Panda'},
{'description': '(Citation: Secureworks BRONZE '
'HUNTLEY )',
'source_name': 'BRONZE HUNTLEY'},
{'description': '(Citation: Talos Bisonal Mar 2020) ',
'source_name': 'Tonto Team'},
{'description': '(Citation: TrendMicro Tonto Team '
'October 2020)',
'source_name': 'Earth Akhlut'},
{'description': 'Daniel Lughi, Jaromir Horejsi. '
'(2020, October 2). Tonto Team - '
'Exploring the TTPs of an advanced '
'threat actor operating a large '
'infrastructure. Retrieved October '
'17, 2021.',
'source_name': 'TrendMicro Tonto Team October 2020',
'url': 'https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf'},
{'description': 'Falcon OverWatch Team. (2020, July '
'14). Manufacturing Industry in the '
'Adversaries’ Crosshairs. Retrieved '
'October 17, 2021.',
'source_name': 'CrowdStrike Manufacturing Threat '
'July 2020',
'url': 'https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/'},
{'description': 'Faou, M., Tartare, M., Dupuy, T. '
'(2021, March 10). Exchange servers '
'under siege from at least 10 APT '
'groups. Retrieved May 21, 2021.',
'source_name': 'ESET Exchange Mar 2021',
'url': 'https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/'},
{'description': 'Mercer, W., et al. (2020, March 5). '
'Bisonal: 10 years of play. Retrieved '
'January 26, 2022.',
'source_name': 'Talos Bisonal Mar 2020',
'url': 'https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html'},
{'description': 'Nalani Fraser, Kelli Vanderlee. '
'(2019, October 10). Achievement '
'Unlocked - Chinese Cyber Espionage '
'Evolves to Support Higher Level '
'Missions. Retrieved November 17, '
'2024.',
'source_name': 'FireEye Chinese Espionage October '
'2019',
'url': 'https://web.archive.org/web/20210308054208/https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf'},
{'description': 'Roland Dela Paz. (2003, January 3). '
'The HeartBeat APT Campaign. '
'Retrieved October 17, 2021.',
'source_name': 'Trend Micro HeartBeat Campaign '
'January 2013',
'url': 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf?'},
{'description': 'Sean Gallagher. (2017, April 21). '
'Researchers claim China trying to '
'hack South Korea missile defense '
'efforts. Retrieved October 17, 2021.',
'source_name': 'ARS Technica China Hack SK April '
'2017',
'url': 'https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/'},
{'description': 'Secureworks. (2021, January 1). '
'BRONZE HUNTLEY Threat Profile. '
'Retrieved May 5, 2021.',
'source_name': 'Secureworks BRONZE HUNTLEY ',
'url': 'https://www.secureworks.com/research/threat-profiles/bronze-huntley'},
{'description': 'Warren Mercer, Paul Rascagneres, '
'Vitor Ventura. (2020, March 6). '
'Bisonal 10 Years of Play. Retrieved '
'October 17, 2021.',
'source_name': 'Talos Bisonal 10 Years March 2020',
'url': 'https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html'},
{'description': 'Zykov, K. (2020, August 13). '
'CactusPete APT group’s updated '
'Bisonal backdoor. Retrieved May 5, '
'2021.',
'source_name': 'Kaspersky CactusPete Aug 2020',
'url': 'https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/'}],
'id': 'intrusion-set--c5b81590-6814-4d2a-8baa-15c4b6c7f960',
'modified': '2024-11-17T16:30:03.375Z',
'name': 'Tonto Team',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'intrusion-set',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_version': '1.1'}