Cyberattacks on Taiwan Surge Amid Chinese AggressionRise in Use of PlugX Malware Points to Chinese Nation-State Activity
Taiwan was buffeted during April by a three-day surge in malicious emails that increased to four times the usual amount, a reflection of increased tensions in the Taiwan Strait, say threat analysts.
The surge came on the heels of a January spike in extortion emails aimed at Taipei government officials that peaked at 30 times the normal count, said Trellix.
The threat intelligence firm didn't definitively tie the activity to Chinese state threat groups but says the wider context of renewed Beijing-induced tensions with its island neighbor is inescapable. "Geopolitical conflicts are one of the main drivers for cyberattacks on a variety of industries and institutions," said Joseph Tal, a Trellix senior vice president.
The April wave of emails, designed to make recipients click on malicious links and attachments, was sent by fraudsters impersonating law firms, vendors and suppliers. The bait included fake "payment overdue" notifications and purchase orders.
Fraudsters also spoofed major brands' login pages and targeted company-specific pages to harvest credentials. Following the malicious email wave, Trellix observed a 15-fold increase in PlugX infections between April 10 and April 12. The U.S. federal government has linked the remote access tool to threat actors associated with the Chinese Ministry of State Security. Cybersecurity company Secureworks in 2022 spotted the Chinese state threat group known as Bronze President, also tracked as Mustang Panda, using an updated variant of PlugX in attacks aimed at Russian government officials (see: China Spies on Russians; Microsoft Details Ukraine Attacks).
Trellix said it also observed threat actors using the Kryptik and Zmutzy malware families in attacks aimed at Taiwanese entities. Kryptik uses anti-emulation, anti-debugging and code obfuscation to prevent analysis and Zmutzy is an info-stealer malware that collects credentials and other files from infected systems to enable its users to spy on victims.
A China-based hacktivist group calling itself APT27_Attack claimed responsibility for most of the attacks, but Trellix researchers believed it to be a false flag operation considering the group's attack patterns significantly differed from APT27's activities, which are more clandestine.