Recent geopolitical tensions between China and Taiwan have been exacerbated by an uptick in China’s military assertiveness and provocative regional behavior. This culminated in China being recognized as the top threat actor nation in late 2022, wielding its cyber capabilities to pressure Taiwan, a self-governing democracy, which has always repudiated China’s claims of sovereignty and bolstered its defenses in response to perceived aggression.
These simmering tensions have recently manifested in a marked increase in cyberattacks directed at Taiwan, with various sectors falling prey to meticulously orchestrated malware attacks intended to steal sensitive data. Trellix, a renowned cybersecurity firm, has noted a significant surge in these cyberattacks, which could potentially impact Taiwan’s national security and economic stability.
During a brief period from April 7 to April 10, the volume of malicious emails targeting Taiwan quadrupled, reflecting an alarming trend in cyber threat activity. Notably, the most targeted sectors were the Networking/IT, Manufacturing, and Logistics industries. In an equally disturbing development, there was a thirtyfold increase in extortion emails directed at Taiwanese government officials during the last week of January 2023, emphasizing the evolving and targeted nature of these threats.
A recurring malware threat during this period, as identified by Trellix, was PlugX, a notorious Remote Access Tool (RAT) linked to various Chinese threat groups and has been in circulation since 2012. The use of this tool aligns with the tactics, techniques, and procedures (TTPs) often employed by threat actors, who use phishing emails as an infection vector before escalating their attacks using more advanced tools.
PlugX, renowned for its stealth capabilities and its knack for evading antivirus detection, has a vast repertoire of destructive capabilities, including keystroke capture, screenshot acquisition, and data theft. This Trojan employs DLL sideloading to evade detection, which allows it to execute malicious code under the guise of a legitimate dynamic-link library (DLL) file. Renowned threat actors such as Apt10, APT27, APT41, MustangPanda, and RedFoxtrot, all suspected to be state-sponsored entities, have been associated with the use of PlugX.
Additionally, Trellix’s analysis revealed the presence of other pernicious malware families, including Kryptik, Zmutzy, and Formbook, all targeted at Taiwanese systems. Kryptik consists of Trojans utilizing anti-emulation, anti-debugging, and code obfuscation techniques to avoid analysis. Zmutzy, a Trojan written in Microsoft’s .NET language, functions as spyware and information stealer. Formbook, a notorious info stealer malware, has the ability to collect various types of data from infected systems, including cached browser credentials, screenshots, and keystrokes, besides acting as a downloader for additional malicious files.
In light of these findings, it’s evident that cyber warfare plays an increasingly pivotal role in geopolitical conflicts. The international community needs to collectively address these escalating cyber threats. Governments and organizations must invest more resources in cybersecurity to protect their infrastructure, national security, and citizens. Collaboration between nations to enforce international cyber laws could act as a deterrent to such state-sponsored attacks, preserving the digital landscape’s integrity for peaceful purposes.