Taiwan critical infrastructure targeted by hackers with possible ties to Volt Typhoon

Hackers with apparent ties to several China-based groups like Volt Typhoon are targeting critical infrastructure in Taiwan as part of an ongoing campaign.

Researchers at Cisco Talos discovered a malicious campaign that has been active since at least 2023 attempting to establish long-term access to critical infrastructure in Taiwan and steal information. 

The group behind the campaign, which the researchers tagged as UAT-5918, have tactics, techniques, procedures and victims that overlap with Chinese state-backed groups, including those tracked as Volt Typhoon and Flax Typhoon. 

“We have primarily observed targeting of entities in Taiwan by UAT-5918 in industry verticals such as telecommunications, healthcare, information technology, and other critical infrastructure sectors,” the researchers said.

UAT-5918 typically gains entry by exploiting vulnerabilities in unpatched web and application servers exposed to the internet, Cisco Talos explained. From there, the hackers use open source tools to move through a victim’s network, stealing credentials and creating administrative accounts to enable more access. 

Several of the tools used for credential and data theft are also used by Volt Typhoon and Flax Typhoon, both known for espionage operations. Cisco Talos also found potential ties to other China-based threat actors, including those labeled as Famous Sparrow and Earth Estries.

In January, the U.S. sanctioned a prominent Chinese cybersecurity company for allegedly providing Flax Typhoon actors with infrastructure and other tooling. 

Volt Typhoon continues to cause outrage in the United States for its campaign to target critical infrastructure and enable potentially destructive action. Members of the House Homeland Security Committee said this week that they want to ramp up oversight of the government’s response to the group.

Flax Typhoon activity was initially identified publicly by researchers from Microsoft, who said the group has been at the forefront of attacks targeting Taiwan since 2021. The group is mainly targeting government agencies and education, critical manufacturing and information technology organizations in Taiwan, but Microsoft said it also saw victims across Southeast Asia, North America and Africa.

FBI director Christopher Wray said last year that Flax Typhoon infected internet of things (IoT) hardware like “cameras, video recorders and storage devices — things typically found across big and small organizations.”

Wray described Flax Typhoon as targeting “everyone from corporations and media organizations to universities and government agencies,” adding that about half of the hijacked devices in its botnet were located in the United States.

The FBI used a court authorization to remove the malware from infected devices and take control of Flax Typhoon’s internet infrastructure.

‘FishMonger’

The Cisco Talos report was published on the same day that researchers from cybersecurity firm ESET spotlighted another Chinese operation that previously targeted a government organization in Taiwan. 

The research focuses on Operation FishMedley — a 2022 campaign that was attributed to another prominent cybersecurity firm named i-Soon that is based in Chengdu, China. ESET refers to the operational arm of i-Soon as “FishMonger.” 

The campaign targeted governments and companies in Taiwan, Hungary, Turkey, Thailand, France and the United States using tools commonly deployed by Chinese state-backed groups. 

ESET says it released the report because much of the campaign was revealed in a U.S. indictment unveiled earlier this month centered on i-Soon’s work on behalf of the Chinese government. 

Taiwan has continued to raise alarms about China’s recent moves, which include air and sea drills around the island this week. 

Chinese Foreign Ministry spokesperson Mao Ning said on Tuesday that officials in Beijing are livid at a recent U.S. State Department decision to remove language from a government website backing the one-China principle. Mao said it “indicates wrong signals to Taiwan separatist forces.”

On Tuesday, China’s state security ministry accused four individuals allegedly linked to Taiwan’s military of carrying out cyberattacks and espionage against the mainland.