Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Cyberspies Target Taiwan Government, Energy Sector

The threat group behind the cyber espionage campaign dubbed “Tropic Trooper” continues to target Taiwan, including government organizations and the country’s energy sector, Palo Alto Networks reported on Tuesday.

The threat group behind the cyber espionage campaign dubbed “Tropic Trooper” continues to target Taiwan, including government organizations and the country’s energy sector, Palo Alto Networks reported on Tuesday.

Tropic Trooper was first analyzed last year by Trend Micro. At the time, the threat actor, which had been active since 2012 and possibly even earlier, targeted government ministries and heavy industries in Taiwan and the military in the Philippines.

In the attacks observed recently by Palo Alto Networks, the cyberspies targeted the secretary general of Taiwan’s Executive Yuan, which is the government’s executive branch, and a fossil fuel provider.

Similar to the ones monitored by Trend Micro, these attacks involved a piece of malware tracked as Yahoyah and an exploit for CVE 2012-0158, one of the most widely exploited Microsoft Office vulnerabilities.

In its analysis, Trend Micro mentioned spotting Poison Ivy samples and Palo Alto Networks has now confirmed that this piece of malware has also been used by Tropic Trooper. Palo Alto has found evidence suggesting that the attackers might also be using the PCShare malware family.

The hackers delivered their malware using spear-phishing emails carrying specially crafted documents. The Excel file sent to the Executive Yuan purports to come from a staff member at the Democratic Progressive Party and it references various political issues.

“All of the text uses Traditional Chinese, in contrast to Simplified Chinese, which is the official written language of the People’s Republic of China. Traditional Chinese is used in Taiwan, Hong Kong, Macau, and many overseas Chinese communities,” researchers said.

Earlier this month, Citizen Lab published a report detailing malware attacks aimed at the Tibetan Parliament in August and October. Researchers noted that such an attack aligns with the interests of the Chinese government, but they could not find any evidence to link the operation to a specific actor or nation state.

Advertisement. Scroll to continue reading.

Citizen Lab pointed out that the malware used to target the Tibetan Parliament, dubbed KeyBoy, was mentioned in Trend Micro’s report on Tropic Trooper as it had used the same algorithm as Yahoyah to encrypt the configuration file. Citizen Lab has noticed a significant change in the configuration file encoding algorithm in newer KeyBoy variants.

“If KeyBoy is a single component of a larger espionage toolkit, the developers may have realized that this older, static-key based, configuration encoding algorithm was inadvertently providing a link between disparate components of their malware suite,” experts said.

Related Reading: Chinese Cyber Spies Hack Taiwan Ruling Party

Related Reading: New Dripion Backdoor Powers Targeted Attacks in Taiwan

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...