Taiwan Web Hosts Hit by Chinese APT Cyberattacks

A newly identified Chinese advanced persistent threat group has launched a series of sophisticated cyberattacks against Taiwanese web hosting providers, aiming to establish long-term access and exfiltrate sensitive data. According to a recent report from Cisco Talos, the group, tracked as UAT-7237, has successfully infiltrated key digital infrastructure, reflecting a broader pattern of escalating cyber aggression linked to geopolitical tensions surrounding Taiwan’s autonomous status.

The threat actor compromised a major web hosting firm in Taiwan, focusing particularly on gaining entry into the organization’s VPN and cloud infrastructure. Once inside, the group engaged in a range of malicious activities including reconnaissance, credential harvesting, and the installation of backdoor access points. This methodical approach allows persistent and stealthy operations within the victim’s network.

UAT-7237 is believed to be active since 2022 and is considered a probable subgroup of the Chinese-speaking threat actor UAT-5918, which has a documented history of espionage campaigns targeting Taiwanese entities. Despite this affiliation, researchers assess with high confidence that UAT-7237 operates as a distinct group due to notable differences in its tactics, techniques, and procedures.

One of the group’s signature tools is a customized shellcode loader named SoundBill, which decodes and executes malicious shellcode from a local file. Written in Chinese, SoundBill is compatible with loading various payloads, including Cobalt Strike, enabling the group to maintain persistent access and carry out information theft.

Unlike many Chinese APT groups that rely heavily on web shells for persistence, UAT-7237 exhibits unique post-compromise behavior. The group frequently exploits known vulnerabilities in internet-exposed servers to gain initial access, then uses the SoftEther VPN client to maintain a foothold. Remote Desktop Protocol (RDP) is later employed to move laterally within the compromised environment.

In addition to custom tools, UAT-7237 leverages a suite of open-source utilities, often modified to avoid detection. These include SharpWMI and WMICmd for executing arbitrary commands, JuicyPotato for privilege escalation, and Mimikatz for credential extraction. The group also uses network scanning tools like Fscan to identify vulnerable systems and expand its access across the network.

This campaign is part of a wider escalation in cyber operations targeting Taiwan’s critical infrastructure. Earlier this year, Taiwan’s National Security Bureau reported a sharp increase in cyber intrusions aimed at sectors including telecommunications, transportation, and government networks, most of which were attributed to Chinese state-sponsored actors.

Security firm ESET also recently highlighted the use of a sophisticated toolset named CloudScout by another Chinese APT group, Evasive Panda, to extract cloud-based data from Taiwanese organizations. These activities underscore a coordinated and persistent effort to compromise Taiwan’s digital ecosystem, blending espionage with preparatory actions that could potentially disrupt essential services.

Taiwanese officials have further warned that widely used Chinese-developed applications pose significant cybersecurity risks, including the unauthorized transmission of personal data to servers located in mainland China. This layered threat landscape emphasizes the need for heightened vigilance and robust defensive measures among organizations and individuals alike.

(Source: InfoSecurity)