Taiwan government-backed research organization targeted by APT41 hackers

A Taiwanese government-affiliated research institute working on sensitive technologies was breached by one of China’s most infamous hacking operations, researchers said Thursday. 

The organization, which was not named, was attacked in a campaign that started as early as July 2023, according to a new report from Cisco Talos. The researchers said the victim “specializes in computing and associated technologies.” 

“The nature of research and development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them,” the researchers said. Taiwan is a global leader in areas such as semiconductors.

Cisco Talos  attributed the campaign to APT41 — a China-based group indicted by the Justice Department in 2020 for using ransomware and other tools to attack more than 100 companies and governments around the globe.

Five Chengdu-based members of the group — Zhang Haoran, Tan Dailin, Jiang Lizhi, Qian Chuan and Fu Qiang — are wanted by the FBI and would face decades in prison for dozens of intrusions, including several software supply chain attacks.

Cisco Talos said it was able to tie the attack on the Taiwanese government-affiliated research institute to APT41 based on specific kinds of malware, tactics and open-source tools used. The hackers deployed the ShadowPad malware — a hallmark of China-based hackers — and several additional tools were written in Simplified Chinese.

The researchers were not able to determine how the group first gained access to the victim’s network but said the hackers compromised at least three devices and were “able to exfiltrate some documents from the network.”

The hackers used backdoors and compression tools to exfiltrate a large number of files. 

The members of APT41 have been implicated in both criminal and nation-state attacks. APT41 is well-known for targeting government organizations for intelligence gathering and private enterprises for financial gain.

APT41 has also been implicated in several cyber incidents involving Southeast Asia. Last month, researchers at cybersecurity firm Sophos tracked another 2023 campaign where hackers spent nearly two years targeting an unspecified high-level government department in search of information about the country’s strategy concerning the hotly contested South China Sea.