Chinese APT16 hackers target anti-Chinese Taiwan opposition

Dec 22, 2015 12:08 GMT  ·  By

FireEye security researchers have uncovered a new APT (Advanced Persistent Threat) group linked to mainland China, targeting Taiwanese politicians and members of the media, just weeks before the country's elections.

First signs of the attack were recorded around 10:00 AM, on November 26, when a new phishing campaign was detected, launched against members of Taiwan's Democratic Progressive Party (DPP).

Attacks specifically targeted anti-Chinese politicians and journalists

The DDP is Taiwan's main opposition party, and political analysts expect it to easily win against the Kuomintang (KMT) party, which is promoting a more China-friendly policy. Additionally, members of pro-DPP media outlets were also targeted.

According to FireEye's technical analysis of the phishing campaign, targets were lured into opening emails that had subjects in the form of "DPP's Contact Information Update." Once this happened, through a booby-trapped email attachment (Word file), the victims were infected with the IRONHALO trojan, which would later download and install the ELMER backdoor.

The hackers used three different vulnerabilities to infect users: two zero-day vulnerabilities in Microsoft Office (CVE-2015-2545) and Windows (CVE-2015-2546), and a third Windows local privilege escalation vulnerability (CVE-2015-1701).

Hackers used a never-seen-before vulnerability

The booby-trapped Word documents contained a new attack method, never seen before, one that utilized a Microsoft Encapsulated Postscript (EPS) dict copy use-after-free vulnerability. This particular zero-day was discovered on September 8 by FireEye, but has never been seen in live attacks until now. Microsoft fixed all issues through system updates on November 10.

The group that carried out these attacks, known only as APT16, also launched similar spear phishing campaigns against Taiwanese media organizations in June 2015. This group is not the same as admin@338, another Chinese APT targeting Hong Kong media organizations.

"The Chinese government would benefit from improved insight into local media coverage of Taiwanese politics, both to better anticipate the election outcome and to gather additional intelligence on politicians, activists, and others who interact with journalists," said Ryann Winters, of FireEye Threat Intelligence.