A Chinese state-backed group called APT 16 is targeting Taiwan’s opposition party (Democratic Progressive Party) and journalists, security experts and officials by sending phishing e-mails with the subject line “DPP Contact Information Update” in an attempt to get hold of election-related information ahead of presidential and legislative elections next month.
In a new report, US-based security company FireEye said infiltrating Taiwanese news organizations would allow hackers to gain access to informants and other protected sources, who might then be targeted for further intelligence collection or even retribution. Hackers also infiltrated emails of party staff, changing security protocols and writing messages spoofing the account holders in what may have been an attempt to deliver malicious code.
“Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.
“On November 26, 2015, a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies. As shown in Figure 1, the emails originated from the Yahoo! email firstname.lastname@example.org[.]jp, and contained the subject “新年号巻頭言の送付” (Google Translation: Sending of New Year No. Foreword).
“Each phishing message contained the same malicious Microsoft Word attachment. The malicious attachment resembled an article hosted on a legitimate Japanese defense-related website, as both discussed national defense topics and carried the same byline. The lure documents also used the Japanese calendar, as indicated by the 27th year in the Heisei period. This demonstrates that the threat actors understand conventional Japanese date notation.”
Taiwan goes to the polls on January 16 and opinion surveys show the DPP is likely to win a legislative majority, with its leader Tsai Ing-wen securing the presidency after eight years of nationalist Kuomintang rule. China, which considers Taiwan to be one of its provinces, is wary of the DPP’s views on Taiwan independence and advocacy of more caution in its relationship with China.
“Given the timing of these attacks, the reporters targeted, and the information used as a lure, it is possible that the attackers are seeking information relating to the upcoming election and about the DPP in particular,” Bryce Boland, chief technology officer for Asia Pacific at FireEye, told AFP.
While the DPP has been under attack for months, the frequency has picked up in the past few weeks, said Ketty Chen, deputy director of international affairs at the DPP, whose own account was among as many as 50 DPP staff targeted by hackers.
“There were fake emails that looked like they came from her [a colleague]. When I read it, the style was not how she would talk so I called to ask if she really sent it, and she hadn’t,” Chan said.
William Stanton, former US diplomat to Taiwan and currently the director of National Tsing Hua University’s Center for Asia Policy, was also a target. He said he’s received multiple warnings from Google that his Gmail account may be targeted by government hackers.
“If you were directed to this page from a warning displayed above your Gmail inbox, we believe that state-sponsored attackers may be attempting to compromise your account or computer. It’s likely that you received emails containing malicious attachments, links to malicious software downloads, or links to fake websites that are designed to steal your passwords or other personal information,” the warning read without identifying the country.