Nation-state hacker group targeting Taiwan, US, Vietnam and Pacific Islands

A previously unknown government-backed hacking group is targeting organizations in the manufacturing, IT, and biomedical sectors across Taiwan, Vietnam, the U.S. and an unnamed Pacific island, according to new research from Symantec.

The researchers are tracking the group under the name “Grayling” and said in a report released Tuesday that it is using custom-made malware as well as publicly available tools to attack its targets.

The attacks, which began in February and continued through May, stood out to researchers due to the use of distinctive hacking tools. The goal of the campaign is espionage rather than financial motives, they said.

They found attacks on several organizations in the manufacturing, IT, and biomedical sectors in Taiwan as well as an incident involving a government agency located in the pacific island. Unnamed organizations in Vietnam and the U.S. were also targeted as part of the campaign.

“There are indications that Grayling may exploit public facing infrastructure for initial access to victim machines,” Symantec said.

“The attackers take various actions once they gain initial access to victims’ computers, including escalating privileges, network scanning, and using downloaders.”

The hackers used Havoc, an open-source tool that has gained prominence among hackers as an alternative to Cobalt Strike. The tool allows hackers to download additional payloads, execute commands on victim machines, manipulate Windows tokens and more.

During the attacks, Symantec saw the hackers use a spyware tool called NetSpy and exploit a popular Windows vulnerability, tracked as CVE-2019-0803.

“While we do not see data being exfiltrated from victim machines, the activity we do see and the tools deployed point to the motivation behind this activity being intelligence gathering. The sectors the victims operate in…are also sectors that are most likely to be targeted for intelligence gathering rather than for financial reasons,” they said.

“The use of custom techniques combined with publicly available tools is typical of the activity we see from APT groups these days, with threat actors often using publicly available or living-off-the-land tools in attempts to bypass security software and help their activity stay under the radar of defenders.”

While Symantec declined to attribute the activity to a specific country, they said the “heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan.”

In May, the U.S. government and Microsoft accused Chinese hackers of infiltrating critical infrastructure systems and other areas around U.S. military bases in Guam, a U.S. territory in the Pacific.

Symantec has also released multiple reports this year tracking Chinese espionage campaigns across Vietnam and other Southeast Asian nations, as well as Taiwan.