Taiwanese cybersecurity firm CyCraft attributed months-long attacks against Taiwan’s financial sector to the APT10 group (aka Stone Panda or Bronze Riverside), which is affiliated with the Chinese government. The campaign—Operation Cache Panda—was launched last year in November and reached its peak in February.
Diving into details
APT10 is a China state-sponsored threat actor believed to be connected with MSS, the Chinese intelligence agency.
The initial attacks were caused due to password mismanagement.
The second wave of attacks in February involved abusing a severe flaw in a commonly used financial software, along with Reflective Code Loading - a new technique.
The adversary deployed a web shell to deliver Quasar RAT on target systems. The RAT is an open-source tool that can capture screenshots, edit registry, record webcam, steal passwords, and perform keylogging.
More details on the campaign
On November 25, 2021, several security traders and financial institutions in Taiwan suspended online transactions as a cyberattack placed large, unusual purchases of Hong Kong stocks on consumer trading accounts.
IR investigations revealed that the attacks were caused due to password mismanagement and credential stuffing.
An investigation following the attacks in mid-February revealed that the attacks were not the result of credential stuffing. Evidence indicating credential stuffing was left behind by the APT10 gang as a smokescreen.
The attacks were caused due to supply chain attacks against a particular financial software.
Furthermore, the attacks in November and February were found to be a prolonged campaign instead of two disparate incidents.
Why this matters
The aim of the attack was not to gain financial information but to exfiltrate brokerage information and PII data, as well as disrupt investments while Taiwan is undergoing economic growth.
The bottom line
This campaign does not come as a surprise since Chinese cyberespionage groups have had their eyes on Taiwan for years. They have consistently battered every sector of Taiwan. China-affiliated hackers have been observed using smokescreens to disrupt and derail investigations into cyberattacks. Operation Cache Panda again highlights the need for securing supply chains and patching software vulnerabilities at the earliest.