Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Hackers Target Taiwan UAV, Military Industries

Threat Actor Is Likely a Beijing Cyberespionage Operator
Hackers Target Taiwan UAV, Military Industries
A likely Chinese cyberespionage operation has been attacking Taiwan UAV manufacturers. (Image: Shutterstock)

A Chinese-speaking hacking group is targeting drone manufacturers in Taiwan and other military-related industries on the island country located roughly 100 miles from mainland China.

See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk

Trend Micro on Friday said it tracks the threat actor as "Tidrone." Factors such as file complication times and its operational hours point to Tidrone "likely being carried out by an as-yet-unidentified Chinese-speaking threat group" for the purposes of espionage.

Tidrone attackers used remote desktop tools including the open-source remote administration utility UltraVNC to deploy custom malware, including Cxclnt and Clntend. The latter is a remote access tool TrendMicro first spotted in April. The malware gather sensitive information, bypass security controls and execute additional malicious payloads.

China claims Taiwan as part of its national territory and has taken steps to assert dominance over the Taiwanese Straight, especially under the tutelage of Chinese leader Xi Jinping. The top U.S. envoy to Taiwan on Wednesday vowed that the United States will "continue to maintain the capacity to resist any resort to force or other forms of coercion against Taiwan." U.S. National Security Adviser Jake Sullivan met with Xi in late August and later told reporters he emphasized to Xi the "importance of maintaining peace and stability across the Taiwan Strait."

Chinese aggression in cyberspace against Taiwan has included disinformation campaigns and espionage. A May 2020 ransomware attack against Taiwanese state-owned CPC Corp. - the island's largest gasoline supplier - bore hallmarks of a state-sponsored attack. Security researchers more recently have traced a breach at a Taiwanese government-affiliated research institute to a Beijing hacking group commonly tracked as APT41. The U.S. Department of Justice indicted APT41 members in 2020 for deploying ransomware and other malware to attack more than 100 companies and governments around the globe.

TrendMicro warned that Tidrone isn't just a worry for Taiwanese cyber defenders since "telemetry from VirusTotal indicates that the targeted countries are varied."

Tidrone operators employ techniques such as bypassing User Account Control, dumping credentials and disabling antivirus software during post-exploitation to maintain persistence within compromised systems.

Analysis by researchers found that the infection chains point to a likely supply chain attack. The presence of ERP software in multiple victims' environments suggests the malware could be distributed through this platform.

Cxclnt malware can upload and download files, clear system traces and collect victim data such as file listings and system information. It can also download and execute portable executable files.

Clntend is a more advanced remote access tool that supports multiple network protocols for covert communication with its command-and-control servers. The malware's capabilities suggest it is used for long-term surveillance and data collection within targeted organizations.

Tridone employs anti-analysis techniques to evade detection, including checking the parent process of applications and hooking common APIs such as GetProcAddress to alter the malware's execution flow.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.