Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict

Cyber espionage attacks against organizations in Taiwan have surged against the backdrop of recent political tensions, new research shows.

Trellix this week cited a fourfold rise in malicious phishing emails targeting Taiwanese companies between April 7 and 10 of this year. Networking/IT, manufacturing, and logistics, were hit the most.

The emails followed different archetypes — a fake shipment update from DHL, a fake order for bulk cement, or a fake payment overdue notification.

Some of the emails came fitted with malicious attachments, while others contained links to fake login pages designed to harvest credentials.

Following the jump in malicious emails, the researchers detected an even more significant rise in instances of PlugX — a decade-old remote access Trojan common among Chinese state-linked threat actors. PlugX is perhaps most notable for its stealthiness, using DLL sideloading as a means of circumventing Windows security measures and running arbitrary code on a target machine.

Other infostealer malware families spotted in attacks against Taiwan include Zmutzy — a Trojan written in .NET — and Formbook — a cheap infostealer-as-a-service with downloader capabilities.

Patrick Flynn, head of commercial threat intelligence at Trellix, says the majority of the attacks appear to be nation-state, with about 40% targeting Taiwan officials and agencies.

Cyberattacks in the China-Taiwan Conflict

Conflict between China and Taiwan dates back three quarters of a century, with the former claiming sovereignty over the autonomous latter. Tensions have ebbed and flowed ever since, with a recent flare-up precipitating from the parallel conflict in Ukraine, diplomatic meetings between American and Taiwanese officials, and Chinese military drills in the Taiwan Strait. The political and economic implications are severe.

As in Ukraine, cyberattacks have long played a role in the Taiwan conflict — a simpler, more cost-effective, and less politically dangerous weapon of war most often deployed by the more powerful side to target their adversary.

“Cyberwarfare is an attractive option for a number of nation states, as it lets them target their adversaries without escalating to a ‘shooting war,'” says Mike Parkin, senior technical engineer at Vulcan Cyber.

In January 2023, for example, Trellix observed a 30-times increase in extortion emails sent to Taiwanese officials. “Though it’s unclear if this activity is from China-backed threat actors, it speaks to a continued increase in attacks specifically targeting Taiwan,” the researchers explained.

For now, there’s no reason to believe that cyber campaigns against Taiwan and its economy will slow down any time soon, so the impetus will fall on organizations to defend themselves.

“In most cases, the things we do to counter common cybercriminals are the same things we should be doing to counter nation-state attacks: training users, up-to-date patches, secure configurations, etc.,” Parkin says.

But “state-level threats are likely to have more resources and can deploy more sophisticated malware, more targeted phishing attacks, and they have the time and energy to stay persistent,” he says. “Facing threats like that makes it even more important for us to have our security stack at least to baseline.”