Posted on February 23, 2022 at 7:09 PM

Chinese hackers launch supply chain attack targeting Taiwan’s financial sector

Chinese hackers have targeted the Taiwan supply chain sector. The advanced persistent threat (APT) group believed to be behind this attack has goals that reflect those of the Chinese government.

Taiwan’s supply chain sector attacked

The attacks were first detected towards the end of November 2021. The threat actor group behind the breach is known as APT10, and it also goes by other names such as the Bronze Riverside, MenuPass Group and Stone Panda. The group has constantly been active, and their first operation was detected in 2009.

The group’s hacking activities spiked between February 10 and February 13 2022. This was when reports suggested that the group had shifted towards attacks with financial objectives targeting the supply chain.      

A recent report by CyCraft, a cybersecurity firm based in Taiwan, said that the recent attack on Taiwan had established a target on the broader supply chain sector. The attackers were specifically targeting the software infrastructure of financial institutions. These attacks led to “abnormal cases of placing orders.”

The report stated that the threat actors conducted this attack using an activity dubbed the “Operation Cache Panda.” Through this operation, they targeted a bug in the web management interface. The vulnerabilities were present in several securities software with an over 80% market share.

After targeting this vulnerability, the attackers went on to deploy a web shell that functions similarly to installing the Quasar RAT in the affected system. The objective of the threat actors, in this case, was to steal sensitive information from the Taiwan supply chain system. The objective of this threat actor group was to gain access to sensitive information.

The threat actors were also stealth in their attack, with the report saying, “In addition to using the open-source project Donut, which can compile Shellcode for different platforms and execute DotNet Assembly In-Memory, this incident also found that using some SharpSpoilt codes inject DotNet malware can achieve the concealment effect of non-malicious modules landing. In order to reduce the probability of being detected by anti-virus software.”

The Quasar RAT strategy used by this threat actor group is popular among other attackers. It is an open-source remote access trojan (RAT) publicly available and easily accessible. The RAT is written in .NET. The features include capturing screenshots, accessing webcam, editing the registry, keylogging to stealing system passwords. The attackers also used a Chinese cloud file sharing service dubbed wenshushu.cn to download auxiliary tools.

“It is worth mentioning that in this attack, the hackers used a lot of open-source or commercial software and reduced the use of malicious programs developed by the hackers in order to reduce the risk of being associated,” the report added.

Threat attributed to Chinese actors

The recent report on this attack comes as the Taiwan parliament made some efforts to fight the espionage attacks by the Chinese government. The parliament unveiled some draft amendments to the national security laws. The laws aim to combat the economic and industrial espionage attempts by China.

Following this amendment, the use of crucial national technologies and trade secrets outside of Taiwan comes with hefty punishments and a prison sentence of up to 12 years. This security law aims at preserving the critical information about Taiwan’s infrastructure, which is a major factor for a country that wants to preserve its critical information.

The government has also limited the movement of people entrusted with critical government information to China to reduce the risks of spying and information sharing. Individuals and organizations that have been granted access or subsidies by the Taiwan government to carry out operations linked to critical national technologies should seek authorization from the government before making any trips to China. Those who fail to get this authorization face a fine of up to $359,000.

While these measures play a role in lowering the risk of critical information being shared with China, Taiwan is still left prone to cybersecurity and espionage attacks. In most espionage attacks, the threat actors use commercial software and hide their attacks to prevent detection. This poses a major risk to the government if espionage attacks are detected much later.

“The root cause of this attack is most likely a loophole in the re-entrustment system. Since the re-entrustment system is related to cash flow and serves important software, more attention must be paid to its supply chain security. Whether the adopted system has been verified by the vulnerability detection mechanism, what vulnerabilities have occurred in the past, and whether there is a professional PSIRT team are the key points that enterprises need to pay careful attention to,” the report concluded.