Incites China’s Military Outrage in the South China Sea and Widespread Cyberattacks on Taiwan
Amidst strong opposition from the Chinese Communist Party, US House Speaker Nancy Pelosi visited Taiwan on August 2, 2022, to bolster US-Taiwan ties. The news of her visit kicked up a new diplomatic storm in the island nation, with China imposing new economic sanctions on Taipei and kicking off a military exercise in the Taiwan straits.
The visit also sparked a slew of cyberattacks on the Taiwanese public and private infrastructure that began the day after the confirmation of the Speaker’s visit on August 1, 2022.
The Taiwanese President’s website, along with the websites of the Ministry of Foreign Affairs, Ministry of National Defence, and Taiwan Taoyuan International Airport domains, were down intermittently due to Distributed Denial of Service (DDoS) attacks. Taiwanese TV broadcasts were hijacked, and a map of China was displayed, including Taiwan, with a patriotic Chinese song in the background.
In retaliation, the Chinese site for the Heilongjiang Provincial Federation of Social Sciences (hljskl.gov.cn) was hacked to display a pro-Taiwan message, shown below.
Cyberattacks On Taiwan And TA ’27 Attack’
On the morning of August 3, 2022, several display systems of departmental stores were hacked by unknown cybercriminals to telecast derogatory remarks protesting against Nancy Pelosi’s visit. The Xinzuoying Railway Station display systems were also hacked and displayed similar hate messages.
On August 3, 2022, Threat Actor group ’27 Attack’ (Twitter handle @APT27_Attack), possibly China-backed, announced a “special cyber operation” on the Taiwanese government and infrastructure. The announcements were made on Twitter and YouTube.
The YouTube video contained an Anonymous-style talking head, text-to-speech narration, and subtitles in English and Mandarin. The stated motive was retaliation against Pelosi’s visit. The group claimed to have zero-days for several Taiwanese devices and referred to themselves as an APT (Advanced Persistent Threat), likely in an attempt to seem more intimidating and prestigious, although they have no known prior cybercrime activities.
The video garnered 41k views and 769 comments, mostly supporting the group’s initiative.
Another video was released on August 6, 2022, claiming that the group has successfully targeted the below Taiwanese institutions:
- Taiwan Power Research Institute (TaiPower) (DDoS and source code leak)
- The General Administration of Highways of the Ministry of Transportation (DDoS and leak)
- Financial Information Service Co. Ltd (DDoS and source code leak)
- The Police Administration of Taiwan’s Ministry of Interior (npa.gov.tw – unattributed DDoS)
- The Presidential Office (president.gov.tw – unattributed DDoS)
- Jinzhiyang Technology Co. Ltd.’s IoT devices and routers (alleged)
- Shennao International Co. Ltd (alleged)
The video then goes on to threaten an attack on 200,000 Taiwanese-connected devices “if Taiwan continues to provoke, we will come back, good luck to Taiwan!”.
TA ’27 Attack’
Despite adopting the username APT27_Attack and introducing themselves initially as APT27 (see Figure 3 below), the group has denied any association with the state-backed Chinese group APT27 (AKA: TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, LuckyMouse). The disparity in the naming appears to be an intentional choice to confuse observers and generate further buzz.
After attacks on Taiwanese medical websites, the Chinese hacker group Hongke Alliance (AKA Honker/Red Hacker) which has been active since 1999 and has since splintered into several other subgroups, disassociated themselves from all cyberattacks in Taiwan, as seen in the figure below.
A similar denial was later issued by 27 Attack, which claimed not to target medical and non-profit organizations, as shown below.
The group claims that its members are from various countries and do not speak Chinese and shows a screenshot of them searching for a common response to their posts, “牛逼,” an expression used by Chinese users to indicate awe or admiration.
Taiwan Power Research Institute (Taipower)
The TA group posted screenshots of the source code and claimed access to the state-owned Taiwan Power Company (Taipower) Nuclear Power Plant Evacuation Information Platform.
Upon closer inspection, the title of the page states “Taiwan Electric Support Power Plant News Soft Capital Test Platform”/” 台電扶電廠訊軟資試平台.” The website associated with this title ( taipower.com.tw) belongs to the Taiwan Power Research Institute.
The code shared by the TAs for this leak contains no sensitive information, which would have likely been dumped for greater impact.
There was an example configuration file that indicates the existence of some production and test databases on the website that the TA group may have had access to; however, these claims may be unsubstantiated.
We found 19 open instances related to Taipower exposed online. Incidentally, the heat map indicating the exposed assets also happens to show the location of the company’s three operational nuclear power plants in Taiwan.
The General Administration Of Highways Of The Ministry Of Transportation
The group has posted a screenshot of what appears to be traffic monitoring data on Twitter. At the time of publishing this analysis, the Taiwanese Directorate General of Highways website (thb.gov.tw) was inaccessible. The last archive of the serviceable webpage as identified from the open source is August 3, 2022.
The data in Figure 14 shows the TA group using a regular expression to highlight Chinese characters. The data contains apparent license plate numbers likely collected by an OCR system connected to traffic cameras.
The license plate numbers in the sample match the format of Taiwanese license plates (three letters followed by four numbers for passenger cars since December 2012; and three numbers followed by two letters for tourist coaches since 2006). Each driver seems to be assigned an ID number, and route names are listed.
The posted sample appears to span 2017 to 2020, with potentially more dates before and after this period.
Our OSINT investigation of the Taiwanese Directorate General of Highways revealed 6 vulnerable instances.
DAE Simple Demand Controller Vulnerability
The TA group also posted an alleged zero-day vulnerability in a power demand controller made by Taiwanese energy-management product manufacturer “DAE Instrument.” This controller appears to be installed by Taipower in over 350,000 small and medium-scale enterprises, including supermarkets and small factories.
The TA group shared a BurpSuite image of a request with a URL that allows unauthorized open access to DAE DEMS Simple Demand Controllers systems that cybercriminals could potentially exploit to control power output in Taiwanese households and industries.
There are 5 open instances of DAE Instrument, identified through an online scanner, that may have been exploited by the attackers. The TA also claims to have access to 200,000 network devices which indicates that the TA might be exploiting IoT devices within the Taiwan Region, as the TA has also shared details of compromised DAE devices.
Financial Information Service Co. Ltd (FISC)
The landing page for the Taipei-based FinTech company is down at the time of publishing this report. Aside from the DDoS attack allegedly perpetrated by this group, some source code for the website from a git instance belonging to FISC was leaked.
However, this leak did not contain any Personally Identifiable Information or databases. Cyble Research Labs OSINT investigation for exposed FISC assets revealed 92 known assets with 3 vulnerable instances based on the application details and version number.
This TA group is relatively new to the scene. No confirmed links to the previous Chinese APT group APT 27, have been drawn at the time of publication.
The group has proclaimed a political motive for the hacks and is likely to continue their cyberattacks if the tension between China and Taiwan continues to escalate. Analysis of TA claims indicates that the TAs are actively scanning and exploiting assets in the Taiwan region.
Cyble Research Labs will continue to monitor and study these hacktivism activities, including OT (Operational Technology) and ICS (Industrial Control Systems) attacks, which spill over to the real world.