Chinese hackers target Taiwanese Opposition Party and media

Security experts at FireEye have uncovered a spear phishing campaign managed by Chinese hackers that is targeting Taiwan Opposition and Media ahead of the vote in January.

According to FireEye a group of Chinese hackers is targeting Taiwan’s opposition party and journalists, security experts and officials. The attacks are occurring weeks away from a Taiwanese presidential election.

The hackers are trying to compromise Taiwanese news organizations for intelligence purpose and obtain election-related information.

“Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.” states the report published by FireEye.

The representatives of the main opposition Democratic Progressive Party (DPP) seem to have the favor of voters at the expense of the other party politics closer to the Chinese Government.

In the past, the Taiwanese government websites were constantly under attack from China, not experts at FireEye identified nation-state actor that is running a spear phishing campaign on Taiwanese journalists with the subject-line reading “DPP’s Contact Information Update” earlier this month.

“Each phishing message contained the same malicious Microsoft Word attachment. The malicious attachment resembled an article hosted on a legitimate Japanese defense-related website, as both discussed national defense topics and carried the same byline. The lure documents also used the Japanese calendar, as indicated by the 27th year in the Heisei period. This demonstrates that the threat actors understand conventional Japanese date notation.”

In March, the DPP’s website was brought down remaining down for at least four days, also in that case the experts blamed Chinese hackers.

“We often received fake emails pretending to come from our colleagues, asking us to click some links or download some documents,” said Ketty Chen, deputy director of the DPP’s international affairs department.

Analyzing the TTPs of the threat actors the experts at FireEye confirmed the Chinese origin of the threat and their intention to gather information relating to the upcoming election.

“Given the timing of these attacks, the reporters targeted, and the information used as a lure, it is possible that the attackers are seeking information relating to the upcoming election and about the DPP in particular,” Bryce Boland, chief technology officer for Asia Pacific at FireEye, told to Agence France-Presse

It is a state of emergency in Taiwan, and in particular for the Democratic Progressive Party, its politicians are a privileged target for alleged state-sponsored hackers.

A DPP official working for the cyber security of the Party, speaking on condition of anonymity, revealed that the organization is “constantly on guard” and conducts regular Internet security training for its staff.

 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Chinese hackers , cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]