A cyber-espionage campaign in the Pacific, directed principally at Taiwan, which took place in the Spring, has now come to light. According to cybersecurity company, Symantec, a large-scale program of cyber-enabled international espionage began in February 2023 and continued until at least May 2023.
The chief targets of the campaign were Taiwan’s critical infrastructure leading to the conclusion that the hackers were politically rather than financially motivated. This type of Advanced Persistent Threat (APT) is used to garner information and data rather than financial theft or extortion, the usual modus operandi of skilled cyber-criminals. APT groups, often under the control of an aggressive foreign power, also use this form of unobserved infiltration to install “sleeper” malware to be activated on a later day.
“The sectors the victims operate in – manufacturing, IT, biomedical, and government – are also sectors that are most likely to be targeted for intelligence gathering rather than for financial reasons,” says Symantec.
The campaign also hit a government agency in the Pacific Islands and organizations in Vietnam plus some in the US. All the countries targeted by the carefully planned and professionally executed cyber-espionage campaign therefore appear to be those opposing China’s hostile program of, expansion in the South China Seas. The US has long opposed an aggressive takeover of the independent country of Taiwan, which the Chinese Communist Party (CCP) still regards as part of mainland China. Taiwan feels highly threatened by China and is constantly preparing for a Chinese invasion and looks to the US for support. Having once fought a thousand-year-long war against each other, Vietnam and China are traditional foes.
Aptly named “Havoc” crucial to cyber-espionage
According to Symantec, the attackers, whom Symantec has named “Grayling”, take various actions once they gain initial access to victims’ computers, including escalating privileges, network scanning, and using downloaders in order to steal privileged information and also to potentially installing malignant software for future use. These highly malicious payloads can include the aptly named “Havoc” – a new form of malware developed earlier this year that is capable of attacking its unwitting hosts across all platforms. Havoc has fast become an essential tool for high-level state-sponsored cyber-espionage, as industrial and research facilities use industrial operating systems which are very different from the operating systems in general commercial use.
But Havoc is not only cross-platform and capable of sitting secretly on an organization’s operating systems gradually siphoning out crucial information, but is also capable of downloading other more destructive payloads that could potentially sit within a system for months before being remotely triggered by the attackers. This could then be used to create social economic timed to coincide with a naval or military incursion. While Symantec is careful not to name China as the potential aggressor behind the Grayling attacks, the logical finger of blame still points firmly at the Chinese Communist Party (CCP).
“We have not been able to definitively link Grayling to a specific geography, but the heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan,” says Symantec.
But Western security sources close to the situation now regard the attacks as evidence of the escalating likelihood of an incursion into the disputed territory of Taiwan by the Chinese, with the threat becoming even more imminent as a result of the ongoing wars in Ukraine and Israel turning the West’s attention and resources away from the South China Seas and closer to home.
