Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Cyberattacks on Taiwan Surge Amid Chinese Aggression

Rise in Use of PlugX Malware Points to Chinese Nation-State Activity
Cyberattacks on Taiwan Surge Amid Chinese Aggression
Taipei, Taiwan (Image: Ocean taiwan/CC BY-SA 4.0)

Taiwan was buffeted during April by a three-day surge in malicious emails that increased to four times the usual amount, a reflection of increased tensions in the Taiwan Strait, say threat analysts.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The surge came on the heels of a January spike in extortion emails aimed at Taipei government officials that peaked at 30 times the normal count, said Trellix.

The threat intelligence firm didn't definitively tie the activity to Chinese state threat groups but says the wider context of renewed Beijing-induced tensions with its island neighbor is inescapable. "Geopolitical conflicts are one of the main drivers for cyberattacks on a variety of industries and institutions," said Joseph Tal, a Trellix senior vice president.

The April wave of emails, designed to make recipients click on malicious links and attachments, was sent by fraudsters impersonating law firms, vendors and suppliers. The bait included fake "payment overdue" notifications and purchase orders.

Fraudsters also spoofed major brands' login pages and targeted company-specific pages to harvest credentials. Following the malicious email wave, Trellix observed a 15-fold increase in PlugX infections between April 10 and April 12. The U.S. federal government has linked the remote access tool to threat actors associated with the Chinese Ministry of State Security. Cybersecurity company Secureworks in 2022 spotted the Chinese state threat group known as Bronze President, also tracked as Mustang Panda, using an updated variant of PlugX in attacks aimed at Russian government officials (see: China Spies on Russians; Microsoft Details Ukraine Attacks).

Trellix said it also observed threat actors using the Kryptik and Zmutzy malware families in attacks aimed at Taiwanese entities. Kryptik uses anti-emulation, anti-debugging and code obfuscation to prevent analysis and Zmutzy is an info-stealer malware that collects credentials and other files from infected systems to enable its users to spy on victims.

A China-based hacktivist group calling itself APT27_Attack claimed responsibility for most of the attacks, but Trellix researchers believed it to be a false flag operation considering the group's attack patterns significantly differed from APT27's activities, which are more clandestine.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.