Full Report
A relatively new ransomware operation named 'Sarcoma' has claimed responsibility for an attack against the Unimicron printed circuit boards (PCB) maker in Taiwan. [...]
Analysis Summary
# Incident Report: Sarcoma Ransomware Attack on Unimicron
## Executive Summary
The global printed circuit board (PCB) manufacturer Unimicron suffered a ransomware attack attributed to the Sarcoma group, beginning around January 30, 2025, which primarily disrupted operations at its China-based subsidiary, Unimicron Technology (Shenzhen) Corp. While Unimicron confirmed operational disruption, they did not immediately confirm data exfiltration, though the attackers later posted what appeared to be authentic samples on their portal. Response included engaging an external forensic team to analyze the incident and implement defense measures.
## Incident Details
- **Discovery Date:** February 1, 2025 (Date of public disclosure via TWSE bulletin)
- **Incident Date:** January 30, 2025 (Date attack occurred/disruption started)
- **Affected Organization:** Unimicron Technology (Shenzhen) Corp. (China subsidiary of Unimicron)
- **Sector:** Electronics Manufacturing (PCB Production)
- **Geography:** China (Shenzhen)
## Timeline of Events
### Initial Access
- **Date/Time:** On or before January 30, 2025
- **Vector:** Phishing emails and exploitation of n-day vulnerabilities were suspected methods utilized by Sarcoma. Supply chain attacks targeting service vendors were also noted as a characteristic tactic of the threat actor leading to client compromise.
- **Details:** Specific initial entry point against Unimicron is not detailed, but the general Sarcoma methodology points to these vectors.
### Lateral Movement
- **Date/Time:** After initial access, leading up to January 30, 2025
- **Vector:** Exploitation of Remote Desktop Protocol (RDP) and subsequent lateral movement across the network were detailed as standard post-compromise activities for the Sarcoma group.
- **Details:** Internal reconnaissance and movement were conducted following initial entry.
### Data Exfiltration/Impact
- **Date/Time:** January 30, 2025 onwards
- **Vector:** Data exfiltration was alleged by the ransomware gang; samples were reportedly leaked on their extortion portal.
- **Details:** The attack caused operational disruption for Unimicron Technology (Shenzhen) Corp.
### Detection & Response
- **Date/Time:** Disruption reported on February 1, 2025 (via TWSE)
- **Vector:** Incident response activities initiated after disruption was noted.
- **Details:** Unimicron engaged an external cyber forensic team to analyze the incident and implement enhanced defense measures.
## Attack Methodology
- **Initial Access:** Phishing emails, exploitation of n-day vulnerabilities, supply chain attacks targeting service vendors.
- **Persistence:** Not explicitly detailed, but implied by subsequent stages.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Not explicitly detailed.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Implied as part of post-compromise activity.
- **Lateral Movement:** RDP exploitation, general lateral movement.
- **Collection:** Data exfiltration post-movement.
- **Exfiltration:** Data exfiltration methods used to steal data before encryption.
- **Impact:** Ransomware encryption leading to operational disruption.
## Impact Assessment
- **Financial:** Not disclosed (forensic costs incurred).
- **Data Breach:** Unimicron did not confirm a data breach, but samples of exfiltrated data were allegedly posted online by Sarcoma.
- **Operational:** Disruption occurred at the China-based subsidiary, Unimicron Technology (Shenzhen) Corp.
- **Reputational:** Public reports surfaced following the company's regulatory filing.
## Indicators of Compromise
*Note: No specific IoCs were provided in the source text.*
- **Network indicators:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** N/A
## Response Actions
- **Containment Measures:** Not specifically detailed, but implied necessary to stop further encryption/data loss.
- **Eradication Steps:** Forensic analysis underway; defense measures implemented with external help.
- **Recovery Actions:** Not detailed, aimed at restoring systems affected by the disruption.
## Lessons Learned
- **Key Takeaways:** The Sarcoma group is a rapidly emerging, high-volume threat actor showing aggressive tactics, active since October 2024 and already noted as a significant threat to industrial organizations.
- **What could have been done better:** Improved vigilance against common initial access vectors like phishing and ensuring rapid patching of n-day vulnerabilities that Sarcoma is known to exploit.
## Recommendations
- **Prevention measures for similar incidents:** Implement robust email filtering and security awareness training to counter phishing. Establish rigorous vulnerability management practices focusing on mitigating newly identified (n-day) vulnerabilities promptly. Review and secure RDP configurations across the environment. Review supply chain vendor access protocols.