Introduction
The Tick group has been one of the noteworthy long-term Advanced Persistent Threat (APT) actors associated with East Asia’s cyber-espionage activity. For nearly two years, it has continued to operate in an extremely persistent and disciplined way, consistently gathering intelligence rather than engaging in large-scale attacks as its main goal. Although they do not create headlines with their ability to carry out attacks that result in serious damage to critical infrastructure, their prolonged and stealth nature makes them an extremely important threat, particularly to businesses and individuals operating in or linked to the East Asian region.
Tick has had multiple names, including BRONZE BUTLER, G0060, Nian, and PLA Unit 61419, as well as REDBALDKNIGHT, STALKER PANDA, Stalker Taurus, and Swirl Typhoon. Many of these names reflect the parallel tracking by different research organizations and intelligence agencies who have observed similar infrastructure and malware, and patterns of targeting for many years.
Identity and Attribution
Tick is best assessed as an advanced persistent threat (APT) actor in China, primarily focused on regional espionage. Historically, several reports have linked Tick to specific Chinese military intelligence interests, including reference to the People’s Liberation Army (PLA) Unit 61419; however, current assessments tend to be more general, placing Tick as part of a broader landscape of cyber espionage connections allied to or with China.
In contrast to the rapid evolution of tools of some of the newer APT groups, Tick has chosen instead to work on a slow, incremental basis in improving their abilities and tools, leading to operational stability. This cautious approach has allowed Tick to remain active and operationally capable while avoiding the attention of authorities that more aggressive or experimental types of tool usage may bring about.
Strategic Motivation
The motivation for Tick’s activity is primarily espionage. Tick conducts operations to gain access to collect sensitive political, diplomatic, military, and industrial information. Unlike many APT groups that ultimately seek to profit from the information gained by monetizing access and/or deploying ransomware, Tick’s primary focus is to sustain persistent access to the highest value networks and extract the information obtained, without detection, over long periods.
Analysis of Tick’s target selection indicates a significant interest in national strategic planning, defense research and development, and industrial capabilities of East Asia. In addition, the campaigns of Tick are usually aligned with the current geopolitical and security dynamics of the Asia region, indicating that Tick is likely either directed by the Chinese government or supported by governmental agencies.
Tactics, Techniques, and Procedures (TTPs)
The Tick Group’s tradecraft consists of patterns of Operation that incorporate: Patience, Low Noise, and Deliberately Selected Targets. The Tick Group utilizes strong OPL (Operational Pattern Level) in conjunction with moderately advanced technical/operational methods.
Initial Access
Initial Access for the Tick Group generally comes from spear phishing campaigns that target specific companies or people. The email contains either a link or an attachment that is designed to appear as if it were a legitimate government or business document. Additionally, in some instances, the Tick Group has also taken advantage of un-patched systems by exploiting known vulnerabilities in publicly available systems (Internet-Facing Servers).
Execution and Persistence
After the Tick Group obtains a foothold in a target’s environment, it utilizes custom malware loaders and backdoor programs that were specifically created to provide a long-term presence in the target environment. Persistence mechanisms are achieved by manipulating the Registry, establishing Scheduled Task Entries, and adding malicious Service Entries. The Tick Group will select to compromise environments that allow for stability versus Speed; therefore, the access will remain intact, regardless of whether the system has been rebooted or a partial recovery was performed.
Command and Control
The Tick Group’s command-and-control infrastructure uses both HTTP or HTTPS to conceal malicious traffic within normal web activity on the internet. The selection of domains and servers used for their C2 infrastructure is done intentionally to blend in with other benign domains, and often infrastructures from different campaigns are reused, with only small changes to the original C2 infrastructure.
The Tick Group displays a great deal of discipline in how it manages its infrastructure; while they do have multiple campaigns, they do not excessively reuse the same infrastructure within one campaign(s) any more than they must, which limits the possibility of easy attribution or takedown of their campaign(s).
Lateral Movement and Collection
Tick only moves to lateral systems that are most likely holding sensitive documents or stored credentials when they selectively lateral movement within a compromised environment. The Tick Group has been extremely careful not to gather credentials and perform network reconnaissance too frequently, as they want to reduce the risk of being detected when they do so. The types of internal documents they typically collect are: internal reports, emails, technical documents, and strategic planning materials.
Malware and Tooling
Although the Tick Group has been associated with numerous families of custom malware that they have developed and maintained for a long time, most of the tools that they have developed are relatively small in size, modular in scope and primarily focused on stealth and avoiding detection rather than possibly providing an advanced level of functionality. The Tick Group is constantly updating its tools to be compatible with modern operating systems and security controls; however, the updates are evolutionary rather than revolutionary.
Reliability of the Tick Group’s tooling is probably one of the most defining features of their tools. The malware they develop is designed to run for extended periods of time without crashing or drawing attention so that it can support the long-term espionage activity of the Tick Group.
Target Profile
Tick’s targets emphasize a localized and targeted selection strategy.
Primary Targets
- Government agencies and public administration bodies
- Defense and military-related organizations
- Industrial and manufacturing companies
- Technology and telecommunications firms
Geographic Focus
- East Asia (Japan, South Korea, Taiwan)
- China-adjacent regions
- Some Southeast Asia and Europe-targeting shopping assignments with connections to East Asia
Historically speaking, Japan has been one of Tick’s most traditional targeting sources. This shows Tick’s focus on intelligence in this region.
Notable Operations
Over its long operational history, Tick has been linked to numerous sustained espionage campaigns:
- Early 2000s–2010: Early campaigns in Japan focused on Japanese Government, Industrial Targets established a consistent long term presence.
- 2011–2015: Target set geographically expanded further beyond E. Asian countries. Malware has been improved upon during that time with respect to (stability/persistent that is improved).
- 2016–2019: Conduct was activity below radar, mainly focused on military/defense intelligence. Conduct has been maintained with attention off to dating incidents with reports.
- 2020–2024: Targeted espionage events Seem to be ongoing using new equipment, still conducting using stealth methodology.
The above referenced campaigns demonstrate to be consistent in capabilities, and not showing any noteworthy changes.
Recent Developments and Evolution
Recently, the Tick has continued to update its malware by adapting it to work with newer operating systems and security frameworks. As other groups have begun to implement aggressive tactics to target victims, the Tick has remained supportive of their current methods of operation.
The reason for the sustained activity of the Tick may be due to its ability to avoid creating excessive alerts and limit the amount of malware used, thus reducing the chances of getting caught.
Threat Assessment
Tick is considered a medium- to high-level threat of espionage to both organisations located in East Asia and organisations that work with East Asia on either security or industrial development. Unlike some other threat-actor groups that create a high degree of technical novelty, Tick relies on their discipline and patience to maintain a long-term relationship with their target. Organisations that have been affected by Tick may not be able to detect the effect of a Tick breach immediately, but may discover that they have lost the ability to track sensitive data over a long period of time.
Defensive Considerations
Engaging with Tick necessitates being prepared for long-term threat detection over reactive incident response. Organizations should focus on the following items to protect themselves against Tick:
1) Strong awareness and controls around Spear Phishing attempts through email
2) Continuous monitoring for long-term intrusions occurring at low rates of frequency
3) Regular review of Outbound Network Traffic Pattern Monitoring
4) Strong Internet-based Patch Maintenance (permanent maintenance of all internet-facing applications).
Any organization located in Japan and or nearby who believe that they may be targeted by Tick should plan their defenses with regard for the ongoing interest that Tick may have in them.
Conclusion
Tick is an excellent example of a matured and disciplined Espionage actor due to its level of patience and consistency versus the flashiness associated with its technology. Itslong-term track record demonstrates how incremental improvements can support long-term collections of intelligence through strict confidentiality.
As such, as geopolitical competition continues to develop within Asia as a whole, Tick will most certainly remain as an active and significant threat to all nations operating in the Area of Interest. Therefore, an in-depth understanding of how Tick conducts its operations will quickly assist teams in determining how they function and how they will become aware of and mitigate the risks associated with the sustained use of these operations over a lengthy period of time.
You can download and review the sheet for all the details!
