Malicious emails aimed at Taiwan have spiked in 2023

Government employees and a variety of companies in Taiwan have been the targets of a wave of malicious emails this year amid rising concerns about China’s plans for its island neighbor.

Researchers at cybersecurity firm Trellix said they have observed a significant rise in extortion emails aimed at Taiwan government officials, with a 30-fold increase year-on-year in the number of malicious emails in January.

Joseph Tal, senior vice president of Trellix Advanced Research Center, said in the report that over the past few years his team has noticed that geopolitical conflicts “are one of the main drivers for cyberattacks on a variety of industries and institutions.”

In recent months, an already tense atmosphere around Taiwan has worsened, with senior Chinese officials increasingly making forceful statements about Taiwan’s future. Foreign Affairs Ministry Spokesman Wang Wenbin said last month that “Taiwan’s return to China… is an important part of the post-war international order.”

The “real status quo of the Taiwan question is that both sides of the Taiwan Strait belong to one and the same China,” he added. “Taiwan is part of China.”

Amid this rhetoric, Trellix observed phishing attacks bearing the hallmarks of state-sponsored groups.

They saw the number of malicious emails during one three-day stretch in April increase to over four times the usual amount. The campaigns targeted government agencies as well as IT, manufacturing and logistics industries, and typically deployed PlugX, a malware employed by Chinese state-backed groups since 2012.

“Some of the known threat actors that use PlugX include APT10, APT27, APT41, MustangPanda, and RedFoxtrot,” the report said. “These groups are believed to be state-sponsored and have been linked to various cyber espionage activities.”

PlugX is well known for its ability to evade antivirus software and gives hackers the ability to track keystrokes, take screenshots on victim devices and access files.

“Some of the PlugX plugins include disk enumeration, keylogging, network resource enumeration, port mapping, process termination, registry editing, service control, and remote shell access,” Trellix researchers said.

They also found several other malware families used in attacks targeting Taiwan, including code obfuscation tools like Kryptik, spyware like Zmutzy and information stealers like Formbook.

Some malicious emails sent in the campaigns involved fake notices of overdue payments from law firms which contained malicious attachments, while others were fake shipment notification emails purporting to be from DHL. Those emails contained links to phishing pages.

Other emails had malware attached to requests for price quotes or purchase orders.

“Our researchers noticed many different themes like generic login pages, targeted company specific pages, multi-brand login pages, etc. being used to target users with an aim to harvest credentials,” the researchers said.

“The rising tensions between China and Taiwan, coupled with the increasing number of cybersecurity attacks, is a cause for concern for individuals, businesses, and governments worldwide.”

After the bellicose comments from the Chinese Foreign Ministry last month, a bicameral group of United States congressional lawmakers introduced legislation that would require the Pentagon to greatly expand cybersecurity cooperation with Taiwan in the face of digital threats from China.

The bipartisan Taiwan Cybersecurity Resiliency Act would authorize the U.S Department of Defense to conduct cyber training exercises with the country, defend its military infrastructure and systems and eliminate malicious digital activity against the island.

Taiwanese authorities previously estimated there are 20 to 40 million attempted cyberattacks every month from Beijing. China also hit Taiwan with a barrage of cyberattacks last August when then-House Speaker Nancy Pelosi became the first high-ranking U.S. official in 25 years to visit the country.

Several websites run by the government of Taiwan were disrupted by distributed denial-of-service (DDoS) attacks hours before Pelosi arrived and Taiwan’s Ministry of National Defense said its network was taken offline by another DDoS incident hours after Pelosi left.

Everything from train stations to convenience stores were hit by cyberattacks during the visit, alarming leaders across Asia.