Post

UAT-5918: China-Linked APT Targets Critical Infrastructure in Taiwan

UAT-5918: China-Linked APT Targets Critical Infrastructure in Taiwan

TL;DR

Cisco Talos identified UAT-5918, a threat actor targeting Taiwan’s critical infrastructure using web shells and open-source tools. The group, linked to China, exploits unpatched servers for long-term access and credential theft. Their tactics overlap with other Chinese APT groups, including Volt Typhoon and Flax Typhoon.

UAT-5918: A New Threat to Taiwan’s Critical Infrastructure

Cisco Talos has uncovered a sophisticated information-stealing threat actor, UAT-5918, active since 2023. This group employs web shells and open-source tools to maintain persistence and carry out credential theft, primarily targeting Taiwan’s critical sectors.

Targeted Sectors and Tactics

UAT-5918 focuses on Taiwan’s telecom, healthcare, IT, and critical infrastructure sectors. The group exploits N-day vulnerabilities in unpatched servers to gain long-term access. Their post-compromise activities include:

  • Reconnaissance and Credential Theft: Using open-source tools for network discovery and credential harvesting.
  • Persistence: Deploying web shells across subdomains and creating admin accounts.
  • Lateral Movement: Utilizing tools like Mimikatz, FRP, and Impacket for remote access and PowerShell remoting.

Researchers have linked UAT-5918 to China due to overlaps in tactics, techniques, and procedures (TTPs) with multiple Chinese APT groups, including:

  • Volt Typhoon: Known for living-off-the-land techniques and long-term access.
  • Flax Typhoon: Uses legitimate software to quietly access Taiwanese organizations.
  • Dalbit: Engages in targeted attacks against critical infrastructure.

The overlaps include the use of tools like FRP, Earthworm, and Impacket, as well as the absence of custom-made malware.

Unique Tooling and Persistence Mechanisms

UAT-5918 employs a mix of common and unique tools:

  • FRP and Neo-reGeorg: For establishing reverse proxy tunnels.
  • LaZagne, SNetCracker, and PortBrute: Tools not publicly linked to other groups, suggesting exclusive use.
  • Web Shells and JuicyPotato: For deep deployment in system directories and privilege escalation.

Data Exfiltration and Long-Term Access

The group maintains persistent access by:

  • Deploying ASP and PHP web shells.
  • Using JuicyPotato for privilege escalation.
  • Creating backdoored admin accounts.
  • Stealing credentials via Mimikatz, LaZagne, and registry dumps.
  • Pivoting within networks using RDP, Impacket, and brute-force tools.
  • Exfiltrating data, including confidential files and database backups, using SQLCMD.

Indicators of Compromise (IOCs)

Talos researchers have published IOCs on their GitHub repository for further analysis and defense.

Conclusion

UAT-5918 represents a significant threat to Taiwan’s critical infrastructure, employing sophisticated tactics and tools to maintain long-term access. The overlaps with other Chinese APT groups highlight the need for enhanced cybersecurity measures to protect against such persistent threats.

Additional Resources

For further insights, check:

For more details, visit the full article: source

This post is licensed under CC BY 4.0 by the author.