Menu
Browse

Cyber Threat Actor: Rocke Group

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
China
1 incident
Profile

Rocke Group isa threat actor tracked under the alias Rocke Group, with publicly available information indicating a nexus to China. The actor has been observed exploiting vulnerabilities in widely used infrastructure management tools to gain unauthorized access to victim environments.

On May 3 2020, Rocke Group compromised Xen Orchestra by leveraging CVE‑2020-11651 and CVE‑2020-11652, two remote code execution flaws in SaltStack. After gaining initial access through these vulnerabilities, the actor deployed a cryptocurrency mining script on several virtual machines. The mining activity caused elevated CPU usage and led to the deactivation of firewall rules on the affected hosts, resulting in noticeable service disruption. Analysis of the payload showed that it lacked any persistence mechanisms and did not modify core infrastructure components, encryption keys, or stored credentials. Forensic review using virtual machine backups confirmed that no data exfiltration occurred and that no lasting alterations were made to the compromised systems.

In response, Xen Orchestra rebooted the impacted systems, disabled SaltStack across its infrastructure, and instituted additional network segmentation via virtual private networks. The organization also initiated password rotations and enhanced monitoring as precautionary steps. The observed tactics—exploitation of SaltStack vulnerabilities for initial access, deployment of a miner for resource abuse, and absence of persistence—represent the only confirmed TTPs associated with Rocke Group in the publicly reported incident. No further details about the actor’s broader targeting patterns, affiliations, or operational scope are available in the supplied sources.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources