Full Report
Cisco Talos discovered a malicious campaign tracked under the UAT-5918 umbrella, which has been active since at least... The post UAT-5918 APT group targets Taiwan critical infrastructure, possible linkage to Volt Typhoon appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: UAT-5918
## Attribution & Identity
The threat actor is tracked under the UAT-5918 umbrella. Its post-compromise activities, TTPs, and victimology overlap significantly with known APTs including **Volt Typhoon**, **Flax Typhoon**, **Earth Estries**, and **Dalbit**. The article suggests alignment with the strategic goals of these other groups, some of which are assessed as PRC (People's Republic of China) state-sponsored.
## Activity Summary
UAT-5918 has been active since at least 2023. It functions as an Advanced Persistent Threat (APT) group. The primary goal is establishing **long-term access for information theft and credential harvesting**. Initial access is typically gained by exploiting N-day vulnerabilities in unpatched, internet-exposed web and application servers. Post-compromise activity is largely manual, aiming for stealth and persistence through the deployment of web shells across discovered sub-domains and internet-accessible servers to create multiple points of entry.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting N-day vulnerabilities in unpatched web/application servers.
- **Defense Evasion/Persistence:** Deployment of web shells (e.g., Chopper web shell overlaps with Flax Typhoon).
- **Discovery/Reconnaissance:** Manual network reconnaissance using open-source tools (e.g., FScan, In-Swor, for network discovery; Ping; gathering system info like drives/partitions).
- **Credential Access:** Harvesting credentials via dumping registry hives and NTDS, and utilizing tools like **Mimikatz**, **LaZagne**, and browser credential extractors.
- **Lateral Movement:** Performed via RDP, WMIC (PowerShell remoting), or Impacket.
- **Command and Control (C2):** Establishing control channels using open-source tools like **frp** (FRPC), **Earthworm**, and **Neo-reGeorg**, resembling techniques used by Tropic Trooper.
- **Action on Objective:** Enumerating local/shared drives, collecting confidential documents, DB exports, and configuration files. In one instance, used `SQLCMD.exe` to create and exfiltrate a database backup.
- **Monitoring:** Using NirSoft's **CurrPorts** and **TCPView** to monitor active connections on compromised hosts.
- **Absence of Custom Malware:** Operations rely heavily on open-source and legitimate system tools.
## Targeting
- **Sectors:** Telecommunications, healthcare, information technology, and other critical infrastructure sectors.
- **Geography:** Primarily targeting entities in **Taiwan**.
- **Victims:** Not explicitly named beyond the described sectors within Taiwan.
## Tools & Infrastructure
- **Malware Families/Utilities:** Web shells (e.g., Chopper), FRPC/FRP, FScan, In-Swor, Earthworm, Neo-reGeorg, Mimikatz, LaZagne, browser credential extractors, WMIC, PowerShell, Impacket, CurrPorts, TCPView, SQLCMD.exe. (Note: No specific C2 domains or IPs were provided in the context for defanging.)
## Implications
UAT-5918 poses a significant threat due to its focus on embedding long-term access within critical infrastructure sectors in Taiwan. The reliance on living-off-the-land (LotL) techniques, custom C2 infrastructure derived from legitimate open-source tools (FRP, Earthworm), and extensive credential harvesting makes detection challenging, especially for organizations lacking mature monitoring of legitimate processes. The linkage to state-sponsored actors like Volt Typhoon and Flax Typhoon suggests operations tied to sophisticated strategic objectives, likely espionage.
## Mitigations
- Implement rigorous monitoring for the use of common open-source reconnaissance and C2 tools such as FRPC, Earthworm, and Impacket by non-standard users/processes.
- Enforce patching policies strictly for internet-facing web and application servers to reduce initial access vectors via N-day exploits.
- Implement robust credential hygiene, privilege accountability, and monitoring for credential dumping via tools like Mimikatz.
- Enhance network visibility to detect lateral movement attempts via RDP and WMIC originating from unexpected hosts.
- Deploy behavioral detection systems to flag common post-exploitation activities like the cyclic enumeration of drives and the creation of new administrative accounts.