Cyble-Taiwan-Cyberattacks

Pelosi’s Taiwan Visit Widens Taipei-Beijing Rift

Incites China’s Military Outrage in the South China Sea and Widespread Cyberattacks on Taiwan

Amidst strong opposition from the Chinese Communist Party, US House Speaker Nancy Pelosi visited Taiwan on August 2, 2022, to bolster US-Taiwan ties. The news of her visit kicked up a new diplomatic storm in the island nation, with China imposing new economic sanctions on Taipei and kicking off a military exercise in the Taiwan straits.

The visit also sparked a slew of cyberattacks on the Taiwanese public and private infrastructure that began the day after the confirmation of the Speaker’s visit on August 1, 2022.

The Taiwanese President’s website, along with the websites of the Ministry of Foreign Affairs, Ministry of National Defence, and Taiwan Taoyuan International Airport domains, were down intermittently due to Distributed Denial of Service (DDoS) attacks. Taiwanese TV broadcasts were hijacked, and a map of China was displayed, including Taiwan, with a patriotic Chinese song in the background.

Figure 1 – TV broadcast of Map of China, with Taiwan included

Figure 2 – Taiwanese officials confirm DDoS attack on Presidential Office website

In retaliation, the Chinese site for the Heilongjiang Provincial Federation of Social Sciences (hljskl.gov.cn) was hacked to display a pro-Taiwan message, shown below.

Figure 3 – Chinese website hacked by hacktivists

Cyberattacks On Taiwan And TA ’27 Attack’

On the morning of August 3, 2022, several display systems of departmental stores were hacked by unknown cybercriminals to telecast derogatory remarks protesting against Nancy Pelosi’s visit. The Xinzuoying Railway Station display systems were also hacked and displayed similar hate messages.

Figure 4 – Display systems in Departmental stores and Railway Terminal Hacked to display hate messages (Twitter @TISAtoromi)
Figure 5 – Taiwanese website defaced by hacktivist

On August 3, 2022, Threat Actor group ’27 Attack’ (Twitter handle @APT27_Attack), possibly China-backed, announced a “special cyber operation” on the Taiwanese government and infrastructure. The announcements were made on Twitter and YouTube.

The YouTube video contained an Anonymous-style talking head, text-to-speech narration, and subtitles in English and Mandarin. The stated motive was retaliation against Pelosi’s visit. The group claimed to have zero-days for several Taiwanese devices and referred to themselves as an APT (Advanced Persistent Threat), likely in an attempt to seem more intimidating and prestigious, although they have no known prior cybercrime activities.

Figure 6 – A still from the video of TA ‘27 Attack’ announcing the launch of cyber-attacks on Taiwan

The video garnered 41k views and 769 comments, mostly supporting the group’s initiative.

Another video was released on August 6, 2022, claiming that the group has successfully targeted the below Taiwanese institutions:

  • Taiwan Power Research Institute (TaiPower) (DDoS and source code leak)
  • The General Administration of Highways of the Ministry of Transportation (DDoS and leak)
  • Financial Information Service Co. Ltd (DDoS and source code leak)
  • The Police Administration of Taiwan’s Ministry of Interior (npa.gov.tw – unattributed DDoS)
  • The Presidential Office (president.gov.tw – unattributed DDoS)
  • Jinzhiyang Technology Co. Ltd.’s IoT devices and routers (alleged)
  • Shennao International Co. Ltd (alleged)

The video then goes on to threaten an attack on 200,000 Taiwanese-connected devices “if Taiwan continues to provoke, we will come back, good luck to Taiwan!”.

TA ’27 Attack’

Despite adopting the username APT27_Attack and introducing themselves initially as APT27 (see Figure 3 below), the group has denied any association with the state-backed Chinese group APT27 (AKA: TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, LuckyMouse). The disparity in the naming appears to be an intentional choice to confuse observers and generate further buzz.

Figure 7.1 – 27_Attack misdirection tactics
Figure 7.2 – 27_Attack misdirection tactics

After attacks on Taiwanese medical websites, the Chinese hacker group Hongke Alliance (AKA Honker/Red Hacker) which has been active since 1999 and has since splintered into several other subgroups, disassociated themselves from all cyberattacks in Taiwan, as seen in the figure below.

A similar denial was later issued by 27 Attack, which claimed not to target medical and non-profit organizations, as shown below.

Figure 8.1 – Hongke Alliance and 27_Attack deny attacks on medical websites
Figure 8.2 – Hongke Alliance and 27_Attack deny attacks on medical websites

The group claims that its members are from various countries and do not speak Chinese and shows a screenshot of them searching for a common response to their posts, “牛逼,” an expression used by Chinese users to indicate awe or admiration.

Figure 9 –  TA Group looking up a Chinese word on Quora

Alleged Attacks

Taiwan Power Research Institute (Taipower)

The TA group posted screenshots of the source code and claimed access to the state-owned Taiwan Power Company (Taipower) Nuclear Power Plant Evacuation Information Platform.

Figure 10 – Screenshot of the alleged leak

Upon closer inspection, the title of the page states “Taiwan Electric Support Power Plant News Soft Capital Test Platform”/” 台電扶電廠訊軟資試平台.” The website associated with this title ( taipower.com.tw) belongs to the Taiwan Power Research Institute.

The code shared by the TAs for this leak contains no sensitive information, which would have likely been dumped for greater impact.

There was an example configuration file that indicates the existence of some production and test databases on the website that the TA group may have had access to; however, these claims may be unsubstantiated.

Figure 11 – Backup configuration file

We found 19 open instances related to Taipower exposed online. Incidentally, the heat map indicating the exposed assets also happens to show the location of the company’s three operational nuclear power plants in Taiwan.  

Figure 12 – A map of exposed IPs related to Taipower

The General Administration Of Highways Of The Ministry Of Transportation

The group has posted a screenshot of what appears to be traffic monitoring data on Twitter. At the time of publishing this analysis, the Taiwanese Directorate General of Highways website (thb.gov.tw) was inaccessible. The last archive of the serviceable webpage as identified from the open source is August 3, 2022.

The data in Figure 14 shows the TA group using a regular expression to highlight Chinese characters. The data contains apparent license plate numbers likely collected by an OCR system connected to traffic cameras.

The license plate numbers in the sample match the format of Taiwanese license plates (three letters followed by four numbers for passenger cars since December 2012; and three numbers followed by two letters for tourist coaches since 2006). Each driver seems to be assigned an ID number, and route names are listed.

The posted sample appears to span 2017 to 2020, with potentially more dates before and after this period.

Our OSINT investigation of the Taiwanese Directorate General of Highways revealed 6 vulnerable instances.

Figure 13 – Traffic data sample posted by the TA

DAE Simple Demand Controller Vulnerability

The TA group also posted an alleged zero-day vulnerability in a power demand controller made by Taiwanese energy-management product manufacturer DAE Instrument.” This controller appears to be installed by Taipower in over 350,000 small and medium-scale enterprises, including supermarkets and small factories.

Figure 14 – DEMS Simple Demand Controller

Figure 15 – TA group Tweet announcing the vulnerability

The TA group shared a BurpSuite image of a request with a URL that allows unauthorized open access to DAE DEMS Simple Demand Controllers systems that cybercriminals could potentially exploit to control power output in Taiwanese households and industries.

Figure 16 – BurpSuite request showing user cookie and hardcoded admin/admin credentials

There are 5 open instances of DAE Instrument, identified through an online scanner, that may have been exploited by the attackers. The TA also claims to have access to 200,000 network devices which indicates that the TA might be exploiting IoT devices within the Taiwan Region, as the TA has also shared details of compromised DAE devices.

Financial Information Service Co. Ltd (FISC)

The landing page for the Taipei-based FinTech company is down at the time of publishing this report. Aside from the DDoS attack allegedly perpetrated by this group, some source code for the website from a git instance belonging to FISC was leaked.

However, this leak did not contain any Personally Identifiable Information or databases. Cyble Research Labs OSINT investigation for exposed FISC assets revealed 92 known assets with 3 vulnerable instances based on the application details and version number.

Figure 17 – Leaked source code of FISC.com.tw

Conclusion

This TA group is relatively new to the scene. No confirmed links to the previous Chinese APT group APT 27, have been drawn at the time of publication.

The group has proclaimed a political motive for the hacks and is likely to continue their cyberattacks if the tension between China and Taiwan continues to escalate. Analysis of TA claims indicates that the TAs are actively scanning and exploiting assets in the Taiwan region.

Cyble Research Labs will continue to monitor and study these hacktivism activities, including OT (Operational Technology) and ICS (Industrial Control Systems) attacks, which spill over to the real world.

Scroll to Top