First Wave of Attacks Took Place in November 2021
The Taiwanese financial and securities sector was first hit on Nov. 25, 2021. A number of financial institutions and securities traders reported “large, unusual purchases of Hong Kong stocks on consumer trading accounts” and decided to suspend online transactions. Subsequent investigations into the cyberattack were inconclusive. However, they determined that the likeliest cause was password mismanagement and credential stuffing. After further review, the firm revealed many details about the cyberattacks that were previously not known. It also clarified the nature of the attacks based on its own investigation.
CyCraft Carried out its own Investigation During Second Wave of Attacks
The sector was hit again in February 2022, this time also targeting CyCraft’s customers. Here, the firm noticed some suspicious files and login events on its computer server. Consequently, it launched its own investigation into both attacks. CyCraft researchers believe that the Chinese hacking group APT10 was behind both incidents. The hackers launched a supply chain attack against vulnerable software used by a majority of the Taiwanese securities traders. In fact, approximately 80% of Taiwanese local financial organizations use the software. The firm also revealed both attacks were part of one long cyber campaign. “Further investigation showed that what was initially presumed to be two separate waves of cyberattacks was actually one prolonged attack campaign in which the attackers leveraged advanced obfuscation techniques not previously observed,” Cycraft stated in its report.
Attackers Used a Smokescreen Attack to Distract Investigators
CyCraft also provided information on the level of sophistication deployed by the hackers. The firm found that APT10 left behind evidence of credential stuffing as a smokescreen to throw off investigators. CyCraft said the hackers have previously left traces of ransomware as a diversion during a 2020 cyberattack. It attributes the attack with a high degree of confidence to Chinese actors. This is primarily due to the use of the Quasar backdoor malware, and its analysis of the actors’ intentions. “The objective of the attacks does not appear to have been financial gain but rather the exfiltration of brokerage information, PII data, and the disruption of investment during a period of economic growth for Taiwan,” CyCraft said.