Full Report
Threat hunters have uncovered a new threat actor named UAT-5918 that has been attacking critical infrastructure entities in Taiwan since at least 2023. "UAT-5918, a threat actor believed to be motivated by establishing long-term access for information theft, uses a combination of web shells and open-sourced tooling to conduct post-compromise activities to establish persistence in victim
Analysis Summary
# Threat Actor: UAT-5918
## Attribution & Identity
UAT-5918 is a newly uncovered threat actor believed to be an Advanced Persistent Threat (APT) group. Researchers assess that UAT-5918 shares tactical overlaps with several known Chinese hacking crews, including Volt Typhoon, Flax Typhoon, Tropic Trooper, Earth Estries, and Dalbit.
## Activity Summary
UAT-5918 has been actively attacking critical infrastructure entities in Taiwan since at least 2023. The actor focuses on establishing long-term access within victim environments primarily for information theft and credential harvesting. Initial access is generally gained by exploiting N-day security flaws in unpatched web and application servers exposed to the internet. Post-compromise activity appears largely manual, focusing on comprehensive data theft after establishing persistence.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting N-day security flaws in exposed web/application servers.
- **Persistence/Backdoor:** Deploying web shells (e.g., Chopper web shell) across discovered sub-domains and internet-accessible servers to create multiple points of entry.
- **Reconnaissance & Lateral Movement:** Utilizing open-source tools for network reconnaissance, system information gathering, and lateral movement.
- **C2/Tunneling:** Using Fast Reverse Proxy (FRP) and Neo-reGeorge to set up reverse proxy tunnels, allowing access to compromised endpoints via attacker-controlled remote hosts.
- **Credential Access:** Employing tools like Mimikatz, LaZagne, and BrowserDataLite (a browser-based extractor for logins, cookies, and history) to harvest credentials.
- **Discovery/Exfiltration:** Enumerating local and shared drives to identify data of interest for systematic data theft.
- **Alternative Backdoors:** Deploying Crowdoor and SparrowDoor, the latter of which has been used by Earth Estries.
- **Internal Access:** Leveraging RDP, WMIC, or Impact for deeper access using harvested credentials.
## Targeting
- **Sectors:** Critical Infrastructure, Information Technology, Telecommunications, Academia, and Healthcare.
- **Geography:** Taiwan.
- **Victims:** Specific organizations are not detailed, but critical infrastructure entities are the primary focus.
## Tools & Infrastructure
- **Malware families used:** Chopper web shell, Crowdoor, SparrowDoor, BrowserDataLite.
- **Open-Source/Legitimate Tools:** Fast Reverse Proxy (FRP), Neo-reGeorge, Mimikatz, LaZagne, RDP, WMIC, Impact.
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed, but C2 relies on attacker-controlled remote hosts accessed via FRP/Neo-reGeorge tunnels.
## Implications
UAT-5918 poses a significant threat to Taiwan's core services due to its focus on critical infrastructure. The actor’s objective is long-term data exfiltration, suggesting espionage or intelligence gathering related to national security or economic interests. The reliance on readily available and open-source tools suggests an intrusion approach focused on speed and persistence rather than novel malware development. The observed tactical overlap with groups like Volt Typhoon and Earth Estries warrants heightened scrutiny regarding potential coordinated or shared objectives among Chinese state-sponsored entities.
## Mitigations
- Immediately patch all internet-facing web and application servers to mitigate N-day exploit vectors.
- Review network logs and EDR telemetry for signs of activity related to FRP or Neo-reGeorge tunneling.
- Restrict the use of post-exploitation tools like Mimikatz and ensure credential management systems are robust.
- Monitor for the deployment of web shells, particularly Chopper, Crowdoor, and SparrowDoor, on public-facing assets.
- Implement strong monitoring for RDP, WMIC, and Impact connection anomalies indicative of lateral movement using harvested credentials.
- Enhance data loss prevention (DLP) controls and audit file enumeration activities on sensitive servers.