Meet TeamT5, the Taiwanese infosec outfit taking on Beijing and defeating its smears
Living in the eye of the geopolitical storm is not easy, but is good for business
In late September 2021, staff at Taiwanese threat intelligence company TeamT5 noticed something very nasty: a fake news report accusing it of conducting phishing attacks against Japan's government and local tech companies.
The timing of the press release was an indicator of its malice. Whoever posted it did so just before Taiwan's Moon Festival, one of the country’s major holidays – a time at which attackers could safely assume TeamT5's staff would be spending time with family, and not watching the internet for fake news.
But the staff at Team5 did notice.
"We can't keep off the internet, even when on holiday. The attackers weren't counting on that," threat intelligence analyst Che-Cheng Chang told The Reg when we dropped in to TeamT5's Taipei offices last week during the Computex conference.
TeamT5 has customers, and staff, in Japan. The latter pointed to the fake story's mangled grammar, and presence of several Chinese characters, as giveaways to its lack of authenticity. The analysts issued a statement within days of the incident denying the accusation and calling the article "highly possible to be written by non-native Japanese speakers."
Chief analyst and T5 elder, Charles Li, told The Reg the threat actors used translation tools that were easy to detect.
And whoever planted the story was probably Chinese.
TeamT5 has long expected that Beijing is aware of its work. The cyber security firm specializes in identifying persistent threats, with its Taiwan location, language skills, and youthful workforce's appreciation of Asian pop culture giving it a unique perspective on threats emerging from and/or targeting the region. The company's skills span computer and political science, with the latter discipline useful to develop an understanding of motives behind the attacks its analysts witness.
Since 2020 the firm has identified technical links between at least 20 targeted attacks and the Chinese cyber gangs including APT23 (aka GouShe), APT41 (aka Winnti, Amoeba), and BlackTech (aka Huapi) – findings the team travelled to report at Black Hat this year in Singapore.
In 2022 members of the team presented on a China-nexus modular trojan they named Pangolin8RAT, and how Beijing appears to use malware to enforce government policies. Staffers told us they are seeing Chinese APTs targeting healthcare organizations, in what they believe is an attempt to get personally identifiable information (PII) and build an extensive database of individuals felt to have potential for future operations.
Although around 35 percent of attacks TeamT5's researchers see are directed against Taiwan, the rest are in other countries like Japan, Korea, India, or the USA. That's why their business is global – 40 percent of clients are outside Taiwan, mostly in other Asia-Pacific countries. The company also counts a US-based global bank among its clientele.
- To predict the targets of Chinese malware, look at the target of Chinese laws
- Taiwan's titans bullish on challengers to x86 in the datacenter and beyond
- US mulls retaliation for China blacklisting Micron without evidence of security threat
- The FBI as advanced persistent threat – and what to do about it
The firm's fearlessness in identifying APT attacks it believes are sponsored by the Chinese government is likely what eventually made TeamT5 a target.
And in the case of the fake news article, the threat actors did not give up. Within a week, a newswire published a fake press release, supposedly from security vendor Kaspersky, again alleging TeamT5 had conducted an offensive cyber-op against Japan's government.
This time, Kaspersky released a statement declaring it "had no connection" with the fake newsbyte – a pleasing example of collaboration among industry players.
TeamT5 can't count on similar collaboration at home because rival infosec outfits covet the talent it wants to hire.
Li sighed when El Reg asked about recruiting, and volunteered that cyber security firms in Taiwan compete for talent with government agencies and multinational corporations.
Taiwan's top tech companies take their fair share of computer science graduates and professionals from the pool as well, and they pay reasonably well.
In recent months, unexpected call-ups for national service due to increased geopolitical tensions have depleted the team.
China also complicates recruiting. Candidates need to be brave enough to take on roles with the potential to make them of interest to Beijing. Li worries that some candidates are already compromised: anyone who has recently visited the PRC may have had their personal devices altered.
Huang chimed in that in Taiwan, people often care too much or not at all about such threats. Because of the team's exposure in the industry, she said she and her colleagues often think the threat is more urgent than their peers do.
"For some, cyber security is like a magical thing," she offered.
But the Chinese threat is a double-edged sword. Without it, laughs the crew, the team wouldn't have any business. And business it has.
Taiwanese president Tsai Ing-wen is supportive – she has declared that cyber security is national security.
Life isn't easy when your home is in the news every day thanks to an adjacent superpower's belligerence.
TeamT5 is therefore focusing on its wins. Researcher Zih-Cing Liao (aka DuckLL) recently made a discovery, after noticing a vulnerability and following an attacker's footprints. That made him the rock star of the moment.
And what happens in the office when such a discovery is made?
"We just waste two hours watching DuckLL demonstrate on his laptop while the boss is silently watching," Huang told The Reg.
And in that moment of success, the satisfaction of a job well done means the cares of the world are forgotten. ®