Taiwanese web hosting providers under covert cyberattack by Chinese APT group
In the digital landscape of 2022, a new and concerning player emerged - a Chinese Advanced Persistent Threat (APT) group known as UAT-7237. This group, active since the year began, is believed to be a subgroup of UAT-5918.
UAT-7237 has been using the SoftEther VPN client to maintain persistence and gain access to systems via the remote desktop protocol (RDP). This two-year-old group has demonstrated a particular interest in infiltrating VPN and cloud infrastructure, as seen in the case of a compromised Taiwanese web hosting provider.
The compromised web hosting provider is just one example of the malicious activities UAT-7237 is capable of. The group is known for conducting reconnaissance, extracting credentials, and setting up backdoored access.
The cyber threats posed by UAT-7237 have been a significant concern, with most of these attacks attributed to Chinese state-backed hackers. In fact, the National Security Bureau of Taiwan reported a significant rise in cyber-attacks targeting critical infrastructure in 2024, including telecoms, transportation, and government networks.
Interestingly, another Chinese APT group, Evasive Panda, was identified by ESET in a 2024 report. This group was using a sophisticated toolset named CloudScout to extract cloud-based data from Taiwanese organizations.
The methods used by UAT-7237 are not limited to sophisticated tools. The group primarily utilizes open-sourced tools, including a customized Shellcode loader tracked as 'SoundBill'. This approach helps UAT-7237 evade detection and conduct malicious activities within the compromised enterprise.
In a bid to heighten cybersecurity awareness, Taiwanese citizens were warned about Chinese-made apps posing significant cybersecurity risks, including sending personal data to servers in China.
Meanwhile, another Chinese APT group, APT10, attempted unsuccessfully to attack a VPN and cloud provider in Taiwan since 2022. The group used methods such as spear-phishing, exploiting CVE-2022-26134 in Atlassian Confluence, and deploying tools like PlugX and Cobalt Strike.
Despite these attempts, it is UAT-7237 that has been making headlines for its persistent and targeted attacks on Taiwanese web infrastructure providers. The cybersecurity community continues to monitor the activities of this group, aiming to protect digital assets and maintain the integrity of the internet.
