China-Taiwan Tensions Spark Surge in Cyberattacks on Taiwan

By Daksh Kapur, Leandro Velasco · May 17, 2023

“In the past few years, we noticed that geopolitical conflicts are one of the main drivers for cyber-attacks on a variety of industries and institutions. Monitoring geopolitical events can help organizations to predict cyber-attacks in countries they operate in. Trellix with Atlas and Insights our global monitoring services, together with our mail, network, EDR and XDR solutions can help organizations to preemptively fine tune their systems to detect and mitigate emerging attacks.” – Joseph Tal Senior Vice President of Trellix Advanced Research Center.

Recent tensions between China and Taiwan have been escalating due to China's increasing military presence and provocative actions in the region. China has long claimed Taiwan as a part of its territory and has been putting pressure on the island to reunify with the mainland. China has also (in late 2022) become a top threat actor country and was the most prevalent threat-actor country behind nation-state activity. Taiwan, on the other hand, has maintained its independence and has been strengthening its military capabilities in response to China's aggression.

In the last few months, the rise in tensions between Taiwan and China have contributed to a noticeable increase in cyberattacks towards Taiwan. Our researchers have identified a worrying surge in attacks aimed at various industries in the region, with the goal of delivering malware and stealing sensitive information.

Trellix has observed a surge in malicious emails targeted towards Taiwan, starting April 7 and continuing until April 10. The number of malicious emails during this time increased to over four times the usual amount. Even though various industries were targeted during the surge, the most impacted industries in the respective time frame were -

• Networking/IT
• Manufacturing
• Logistics

Furthermore, during the last week of January 2023, our researchers observed a significant rise in extortion emails aimed at Taiwan Government officials, with a 30-fold increase in malicious email counts. Though it’s unclear if this activity is from China-backed threat actors, it speaks to a continued increase in attacks specifically targeting Taiwan.

Malicious Emails

Trellix Advanced Research Center researchers found different styles of malicious email campaigns. The following is a brief about the samples presented below -

• Sample 1: The email is a fake payment overdue notification spoofing a Law firm and to add a sense of urgency, the email contains a warning of legal action on non-payment of the amount. Along with it, the email contains a malicious attachment.
• Sample 2: The email is fake shipment notification spoofing DHL and containing a URL which redirects the user to a phishing page.
• Sample 3: The email is a fake quotation request email for a bulk cement order containing an archive as an attachment which contains malware.
• Sample 4: The email is a fake notification email for purchase order containing a URL which redirects the user to a phishing page.

Malicious URLs

The following are some of the malicious web pages being utilized to target Taiwanese organizations. Our researchers noticed many different themes like generic login pages, targeted company specific pages, multi-brand login pages, etc. being used to target users with an aim to harvest credentials.

Malware

PlugX

Following the spike in malicious emails targeting Taiwan, Trellix has identified a surge in PlugX detections as shown in the following screenshot. PlugX is a known Remote Access Tool in use since at least 2012, PlugX is most commonly Linked to Chinese linked Threat groups.

The surge was observed via the Trellix Advanced Threat Landscape Analysis System (ATLAS) that shows an aggregated view of various sources of telemetry enriched with campaign data containing research from Trellix’s Advanced Research Center (ARC).

This follows the TTPs of many threat actors that use phishing emails as an initial point of infection and then deploy more powerful tooling to take control of the systems and then move laterally.

PlugX is a Remote Access Trojan (RAT) which is commonly used by several Chinese APT groups for cyber espionage activities. It is known for its stealthy capabilities and ability to evade detection by anti-virus software. PlugX attempts to evade detection during installation by using DLL sideloading on target systems.

This technique consists of a legitimate program loading a malicious dynamic-link library (DLL) file that masquerades as a legitimate DLL file. This allows the execution of arbitrary malicious code bypassing security measures that look for malicious code running directly from an executable file.

PlugX has a wide range of capabilities, including capturing keystrokes, taking screenshots, and accessing and stealing files. Some of the PlugX plugins include disk enumeration, keylogging, network resource enumeration, port mapping, process termination, registry editing, service control, and remote shell access. Some of the known threat actors that use PlugX include Apt10, APT27, APT41, MustangPanda, and RedFoxtrot. These groups are believed to be state-sponsored and have been linked to various cyber espionage activities.

Additional Malware

During the analyzed period Trellix has also identified several other malware families targeting Taiwan. The following are some of the malware families observed by our researchers:

• Kryptik - Malware of this family consists of Trojans that use anti-emulation, anti-debugging, and code obfuscation to prevent their analysis.
• Zmutzy - A spyware and information stealer Trojan written in Microsoft's .NET language. It is used to spy on the victims by collecting credentials and other information from the infected system.

Formbook: An info stealer malware used to steal several types of data from infected systems, including credentials cached in web browsers, screenshots, and keystrokes. It can also act as a downloader, enabling it to download and execute additional malicious files.

Trellix Product Protections

Our security product provides comprehensive protection from attacks such as spoofing, phishing and malware-laced job emails. Our multi-layered approach includes checks on the URL, email, network, and attachment levels to ensure that any potential threat is detected and prevented from causing harm. Our product continuously monitors and updates its threat intelligence database to stay ahead of new and evolving threats.

The following is some a subset of the Trellix Security detections that have been observed for the ongoing campaigns:

Conclusion

In conclusion, the rising tensions between China and Taiwan, coupled with the increasing number of cybersecurity attacks, is a cause for concern for individuals, businesses, and governments worldwide. It is crucial for everyone to remain vigilant and take necessary precautions to protect themselves from potential breaches. This includes adopting best practices for cybersecurity and staying informed about the latest threats. "... To navigate this complex landscape, Trellix' Advanced Research Center (ARC) utilizes our unique offerings, ATLAS and Insights, to provide advanced threat analysis and projection. Leveraging these insights and technology, we deliver preemptive, real-time defenses, ensuring the security of our customers' operations, regardless of industry or location."