China's APT10 cyber-spies 'targeted Taiwanese financial firms'
Operation Cache Panda went after software used by majority of industry players
China's state-sponsored snoops conducted a two-month campaign against Taiwanese financial services firms, according to CyCraft, a security consultancy from the island nation.
CyCraft's analysis of the incident alleges that the attack run started in November 2021, when the malicious actors – named as the Beijing-run APT10 crew – used supply chain attacks to target software used by Taiwanese financial institutions. The cyber-spies installed backdoors using QuasarRAT, a widely available remote access trojan that targets Windows.
The security firm's post states that the application targeted is used by 80 per cent of Taiwan's financial institutions.
The visible effect of the attacks was a number of unusual orders to acquire financial instruments, but CyCraft suggests that attackers were also trying to steal financial information.
Whatever the motive of the attacks, they were sophisticated – attackers breached systems using a web service vulnerability present in security software, then deployed QuasarRAT and used it to download other malware payloads. Some of that malware was stored at Chinese cloud storage service Uncle Wen – a resource chosen as it is aimed at consumers, not state-sponsored criminal masterminds.
Payloads were masked to evade anti-virus software. Attackers also established remote control of target systems.
CyCraft's post suggests defenses that, if deployed, should alert organisations to future use of this attack by APT10 or other actors.
- Arm China boss happy with Nvidia acquisition collapse
- US imposes sanctions as Russia invades Ukraine
- UK starts to ponder how Huawei ban would work
- Tax inspectors raid Huawei offices
APT10 has been on the radar of security analysts since 2016 and has previously been named as the actor behind attacks on Japanese automotive companies, British managed services providers, US-based aerospace and defense firms and missile defense systems in South Korea.
The gang is thought to have direct links to Chinese Ministry of State Security, the Middle Kingdom's signals intelligence agency.
China asserts that Taiwan is not an independent nation but a rogue province that must be brought back under Beijing's control. In that context APT10's actions can be considered part of efforts to disrupt institutions that China believes defy its government, and to sow discord in Taiwan in the hope it moves local sentiment to accept reunification.
Most nations stop a hair's width short of recognizing Taiwan's statehood, so as not to contradict China's position. But the USA has pledged to assist Taiwan to maintain a defensive capability and wants no change to current arrangements – meaning it would oppose China attempting to reclaim Taiwan.
The prospect of China doing so has become more strategically significant in recent years – in part because Taiwan has evolved to become a critical source of semiconductors and related technologies. The USA has drawn Taiwan closer to ensure access to those technologies, while also making it harder for Chinese firms to get such tech.
So significant is the tech sector – and the USA's desire to maintain the status quo in Asia – that it is widely suggested president Biden has avoided commitment to kinetic conflict with Russia over its actions in Ukraine because America believes it cannot defend a thrust against Taiwan at the same time as American boots are on the ground in Europe.
Taiwan, meanwhile, believes China is making ongoing efforts to steal IP from its tech sector, and last week introduced regulations aimed at deterring such actions. ®
- Central Intelligence Agency
- China Mobile
- China telecom
- China Unicom
- Cyberspace Administration of China
- Federal government of the United States
- Foreign Intelligence Surveillance Act
- Great Firewall
- Hong Kong
- New Mexico
- Semiconductor Manufacturing International Corporation
- United States Armed Forces
- United States Department of Commerce
- Uyghur Muslims