Chinese-speaking hackers disrupt drone supply chains in Taiwan, researchers say

A cyber espionage group with suspected links to Chinese-speaking state-sponsored hacking groups targeted software service providers and military firms in Taiwan and South Korea in several supply chain attacks, according to a new report.

Earth Ammit, as the group is known, launched two waves of campaigns from 2023 to 2024, affecting a range of industries including military, satellite, heavy industry, media, technology, software services and healthcare.

The group’s long-term goal was “to compromise trusted networks via supply chain attacks, allowing them to target high-value entities and amplify their reach,” according to researchers at cybersecurity firm Trend Micro, which analyzed the campaigns.

Organizations that fall prey to these attacks are also at risk of data theft, including exfiltration of credentials and screenshots, researchers said.

In the first wave of Earth Ammit’s campaign, dubbed Venom, the hackers attempted to compromise trusted vendors to infiltrate their customers. According to Trend Micro, the hackers’ strategy centered around infiltrating the drone supply chain. At this stage of the operation, the group used open-source tools — likely due to their accessibility, low cost and ability to hide their footprint, researchers said.

The second campaign, dubbed Tidrone, mainly focused on Taiwan’s satellite and military industries. In these attacks, the hackers used customized backdoors for cyberespionage, including CXCLNT and CLNTEND.

Researchers attributed both campaigns to the same hacker group because they used common command-and-control infrastructure and often targeted the same victims, indicating “a sustained interest by the threat actor in specific entities across multiple operations.”

The attacker’s tactics, as well as its target profile, resemble those used by a suspected Chinese state threat actor, Dalbit, although the group’s definitive affiliation remains unclear.

In a separate report released this week, researchers at EclecticIQ said that multiple China-nexus nation-state actors exploited a recently disclosed critical security flaw in SAP NetWeaver to target critical infrastructure networks.

Among the victims of these attacks were natural gas distribution networks, water and integrated waste management utilities in the UK, medical device manufacturing plants, oil and gas exploration and production companies in the U.S., and government ministries in Saudi Arabia responsible for investment strategy and financial regulation.

The focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities, researchers said.