(Source-thehackernews.com_.jpg)
In a recent cybersecurity breach, a Taiwanese Research Institute government-affiliated research institute specializing in computing and related technologies fell victim to nation-state hackers tied to China. The attack, which began as early as mid-July 2023, was uncovered by Cisco Talos, revealing the use of sophisticated malware and tools.
Detailed Attack Analysis
The breach targeted the unnamed Taiwanese organization with a series of backdoors and post-compromise tools, including ShadowPad and Cobalt Strike. Cisco Talos researchers Joey Chen, Ashley Shen, and Vitor Ventura attributed the attack to the prolific hacking group APT41 with medium confidence. The ShadowPad malware exploited an outdated version of the Microsoft Office IME binary to load a customized second-stage loader, launching the payload within the compromised environment.
The attack, discovered in August 2023, began with the detection of abnormal PowerShell commands connecting to an IP address to download and execute PowerShell scripts. The initial access vector remains unclear, but it involved a web shell to maintain persistent access and deploy additional payloads like ShadowPad and Cobalt Strike. The latter was delivered via a Go-based loader named CS-Avoid-Killing, designed to bypass antivirus detection.
Intrusion Techniques and Data Exfiltration
The threat actors compromised three hosts within the targeted environment, successfully exfiltrating some documents. They employed various techniques, including running PowerShell commands to launch scripts for running ShadowPad in memory and fetching Cobalt Strike malware from a compromised command-and-control (C2) server. The ShadowPad loader, ScatterBee, executed via DLL side-loading, was a key tool in the attack.
Other steps included using Mimikatz to extract passwords and executing several commands to gather information on user accounts, directory structure, and network configurations. APT41 developed a tailored loader to inject a proof-of-concept for CVE-2018-0824 into memory, exploiting a remote code execution vulnerability for local privilege escalation. The final payload, UnmarshalPwn, was unleashed after passing through three stages. The attackers also made efforts to avoid detection by halting their activity when other users were detected on the system and deleting the web shell and guest account used for initial access once the backdoors were deployed.
Global Implications and Response on Taiwanese Research Institute
The breach at the Taiwanese research institute is part of a broader pattern of cyberattacks attributed to Chinese state actors. Recently, Germany revealed that Chinese state actors were behind a 2021 cyberattack on the Federal Office of Cartography and Geodesy (BKG) for espionage purposes. In response, China’s embassy in Berlin dismissed the accusations as unfounded and urged Germany to stop using cybersecurity issues to politically smear China.
This incident underscores the persistent threat posed by sophisticated nation-state hacking groups and the need for robust cybersecurity measures to protect critical infrastructure and sensitive information from such attacks.
Also Read : CyberPro Magazine
