Threat Actor Likely Operates From A Region With A Strategic Interest In Taiwan(@JayJay_Tech) o
October 10, 2023 Image: Shutterstock
A previously undetected cyberespionage group spied against Taiwanese government agencies and the island-country’s manufacturing sector, say cybersecurity researchers. The Symantec Threat Hunter Team doesn’t attribute the threat group to any particular country, other than noting it likely operates “from a region with a strategic interest in Taiwan.”
See Also: Challenges and Solutions in MSSP-Driven Governance, Risk, and Compliance for Growing Organizations
The threat group, dubbed “Grayling” by Symantec, additionally targeted IT and biomedical companies between February and May. The same threat actor also hacked organizations in the Vietnam, the United States the government of a Pacific nation. Grayling’s targets as well as its post-exploitation behaviors suggest intelligence gathering rather than financially-motivated hacking, the researchers say in a Tuesday blog post.
Taiwan faces increasing cyberespionage activity amid stepped up determination in Beijing to bring the island country under its authority. China’s President Xi Jinping has ordered the military to be capable by 2027 of invading Taiwan. China still remains Taiwan’s largest trade partner and the country’s economy relies on the mainland for manufacturing and exports. A global semiconductor manufacturing powerhouse, Taiwan has also accused China of a sustained campaign of economic espionage.
Microsoft in August said a Chinese espionage group, tracked as Flax Typhoon, targeted and spied on government agencies and education, critical manufacturing and information technology organizations in Taiwan, aiming to “maintain access to organizations across a broad range of industries for as long as possible” (see: Chinese State Hackers ‘Flax Typhoon’ Targeting Taiwan).
Symantec said it did not observe any overlap between Grayling’s tools or techniques with those employed by known espionage groups, including Flax Typhoon. Unlike other espionage groups, Grayling did not rely on spear phishing to establish initial access.
The company says Grayling instead exploited public-facing web servers and in some cases deployed web shells for initial access to victim machines. The hackers used a “distinctive” DLL sideloading technique that exploits SbieDll_Hook to load various tools including Cobalt Strike and the Havoc framework.
“This is the first time we’ve observed this specific DLL sideloading technique,” Brigid O Gorman, a Symantec senior intelligence analyst, told Information Security Media Group. The threat actors likely employed it to diversify away from recognizable tactics that could lead to attribution, she said.
Gorman said the threat actors also possibly used the Havoc framework since cyber defenders are sensitive now to instances of Cobalt Strike.
“In recent times, we have seen attackers looking for alternatives to Cobalt Strike, which may not attract as much attention or be as likely to be blocked on targeted networks,” she said.
Once inside, Grayling used Havoc and other means to download additional payloads that scanned compromised networks, escalated privileges, killed processes and used downloaders to exfiltrate stored information. O Gorman said Symantec’s threat hunting team did not see the threat actors exfiltrate information from victim machines.