Since 2024 [1] [2] [3] [5] [8], a new threat actor known as TIDRONE [4], believed to be associated with Chinese-speaking groups, has been conducting cyber espionage targeting businesses in Taiwan’s military supply chain, specifically drone manufacturers [4].

Description

Trend Micro researchers have identified custom malware such as CXCLNT and CLNTEND being utilized by the group to infiltrate victims’ IT systems [6]. The attack involves the deployment of custom malware through remote desktop tools like UltraVNC, with a potential supply chain attack scenario arising from the shared use of the same ERP software among victims. The group is suspected of leveraging this supply chain attack to gain access to their systems [6], with an espionage motive likely due to the sensitive data held by military-related entities [6]. The attack stages include privilege escalation [8], credential dumping [4] [8], and defense evasion [8], with backdoors established through a rogue DLL in Microsoft Word [7] [8]. The malware payloads facilitate data harvesting, file operations [8], and remote access capabilities [8], indicating a sophisticated threat actor likely of Chinese origin [8]. Taiwan has experienced an uptick in cyber-attacks, with RedJuliett targeting various organizations on the island [6]. A report by Booz Allen Hamilton outlines how China is utilizing cyber power against Taiwan [6]. The threat actors have continuously updated their tools and refined their attack chain [4], employing anti-analysis techniques to hinder detection and analysis efforts [4]. The attacks have been observed in Taiwan and predominantly targeted military-related industries [4], specifically drone manufacturers [4], suggesting an espionage motive [4] [6]. The malware may have been disseminated through a supply chain attack [4], with the attackers employing techniques such as UAC bypass [4], credential dumping [4] [8], and antivirus software disabling in the post-exploitation phase [4]. The attackers exploit vulnerabilities in ERP software to gain access [2] [3], escalate privileges [2] [3], and exfiltrate sensitive data [3], exhibiting similarities to other Chinese espionage activities [3]. The threat actors utilize remote access tools like CLNTEND to communicate over various network protocols [3], indicating a sophisticated operation with potentially significant implications for Taiwan’s cybersecurity [3]. This cyber attack is part of a broader trend of cyber espionage in the military technology sector [5], underscoring the necessity for enhanced cyber defenses and monitoring of suspicious activity to safeguard sensitive information [5].

Conclusion

The cyber espionage activities of TIDRONE pose a significant threat to Taiwan’s military supply chain, particularly drone manufacturers [1] [2] [3] [4] [5] [6] [7] [8]. To mitigate these risks, enhanced cyber defenses and monitoring of suspicious activity are essential [5]. The continuous evolution and sophistication of the threat actors highlight the need for proactive measures to safeguard sensitive information and prevent future attacks. The implications of these cyber attacks on Taiwan’s cybersecurity are far-reaching and underscore the importance of vigilance and preparedness in the face of evolving cyber threats.

References

[1] https://cyber.vumetric.com/security-news/2024/09/09/tidrone-espionage-group-targets-taiwan-drone-makers-in-cyber-campaign/
[2] https://cybermaterial.com/tidrone-group-targets-taiwan-drone-makers/
[3] https://ezitech.org/blogs/taiwan-drone-manufacturers-are-the-aim-of-tidrone-espionage-groups-cyber-campaign/
[4] https://securityaffairs.com/168210/apt/tidrone-targets-organizations-taiwan.html
[5] https://hackyourmom.com/en/novyny/ugrupovannya-tidrone-atakuye-tajvanskyh-vyrobnykiv-bezpilotnykiv-z-metoyu-kibershpygunstva/
[6] https://www.infosecurity-magazine.com/news/china-target-taiwan-military/
[7] https://vulners.com/thn/THN:E9B94F00ADADFD55137F2EB606398C89
[8] https://thehackernews.com/2024/09/tidrone-espionage-group-targets-taiwan.html