{ "id": "b65b2afe-bbd2-4d25-8b30-144e283b4f12", "created_at": "2026-04-06T00:18:48.996459Z", "updated_at": "2026-04-10T03:36:25.357743Z", "deleted_at": null, "sha1_hash": "5e3ee3e27893b664edf63ddfd4b6a3436e5e3e8a", "title": "China Implicated in Prolonged Supply Chain Attack Targeting Taiwan Financial Sector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 859720, "plain_text": "China Implicated in Prolonged Supply Chain Attack Targeting\r\nTaiwan Financial Sector\r\nBy CyCraft Technology Corp\r\nPublished: 2022-02-23 · Archived: 2026-04-05 17:24:20 UTC\r\nPress enter or click to view image in full size\r\nSevere Vulnerability Uncovered in Major Taiwan Financial Software\r\nTaipei, Taiwan — 22 February 2022 — CyCraft, a leading managed detection and response (MDR) provider\r\nbased in Taiwan, uncovered intelligence regarding the November 2021 cyberattacks targeting the Taiwan financial\r\nand securities trading sector; CyCraft further attributed the cyberattacks to APT10 — a China state-sponsored\r\nhacker group widely believed to be associated with the Chinese Intelligence Agency, the Ministry of State\r\nSecurity (MSS).\r\nThe November 2021 attacks were originally attributed to password mismanagement; however, following a\r\nsecurity incident response (IR) investigation conducted by CyCraft into the second wave of February 2022\r\nattacks, new evidence uncovered the exploitation of a severe vulnerability in commonly used financial software\r\naided by a newly identified hacking technique, Reflective Code Loading.\r\nCyCraft urges all organizations who may be vulnerable to this attack — especially financial firms\r\nwho have recently experienced an increase in compromised user credentials — to conduct an\r\nimmediate, thorough security assessment.\r\nThese attacks are the latest in a series of attack campaigns against Taiwan by China-based threat groups. In early\r\n2020, CyCraft curtailed a year-long attack campaign targeting Taiwan’s semiconductor ecosystem; this attack was\r\nattributed to another China-based threat group, Chimera. Again, in April 2020, a CyCraft incident response (IR)\r\nhttps://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525\r\nPage 1 of 6\n\ninvestigation into a government agency breach uncovered Waterbear malware — malware designed and\r\ndistributed by the China-based threat group BlackTech.\r\nThe frequency of cyberattacks targeting Taiwan institutions surged by 38% in 2021, reaching an average of\r\n2,644 attacks per week, Taiwan News reports. The global average is 925 attacks per week. This disparity is due to\r\nTaiwan’s unique geopolitical situation, high-tech economy, and mature communications infrastructure.\r\nFirst Attack Wave, November 2021\r\nAt 5:27 p.m. on Thursday, November 25 of last year, a number of Taiwan financial institutions and securities\r\ntraders informed the Taiwan Stock Exchange Corporation (TWSE) and the Financial Supervisory Commission\r\n(FSC) that they would be suspending online transactions due to suspicious behavior — large, unusual purchases of\r\nHong Kong stocks on consumer trading accounts — as a result of a cyberattack.\r\nAfter several weeks, the IR investigations theorized that the November attacks were most likely due to password\r\nmismanagement and credential stuffing; however, the findings were not conclusive and suggested there may\r\nhave been other causes.\r\nCredential stuffing attacks leverage poor cyber hygiene habits (i.e., users reusing the same username/password\r\ncombinations across multiple platforms and websites). Several security countermeasures were taken, including\r\nforced password updates and multi-factor authentication.\r\nSecond Attack Wave, February 2022\r\nOnce again, in mid-February 2022, a number of Taiwan financial institutions and securities traders were targeted\r\n— some being victims of the November 2021 attacks and others CyCraft customers. CyCraft MDR/EDR\r\ncybersecurity solutions observed suspicious files and login events on customer servers and immediately began\r\ninvestigating. After three days, CyCraft completed their IR investigations.\r\nPress enter or click to view image in full size\r\nCyCraft MDR’s first detection, auto triage, and alert sent for malicious executable\r\nPresentationCache[.]exe\r\nhttps://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525\r\nPage 2 of 6\n\nCyCraft’s three-day IR investigation uncovered that neither the February 2022 nor the November 2021 attacks\r\nwere solely a direct result of credential stuffing. A more thorough investigation revealed evidence suggesting\r\ncredential stuffing was purposely left behind by APT10 — credential stuffing was just a smokescreen.\r\nBoth attacks were the result of a supply chain attack targeting specific financial software. A vulnerability\r\nexisting in financial software with a majority market share among Taiwan securities traders was exploited by the\r\nattackers, granting them high-level access to multiple firms. Further investigation showed that what was initially\r\npresumed to be two separate waves of cyberattacks was actually one prolonged attack campaign in which the\r\nattackers leveraged advanced obfuscation techniques not previously observed.\r\nThis isn’t the first “smokescreen attack” by a China-based threat group. In April 2020, CyCraft observed a China-based threat group use ransomware as a smokescreen for a targeted attack on the CPC Corporation, as reported by\r\nCyCraft and Bloomberg.\r\n“For more than a decade, Chinese hackers have waged a persistent cyber offensive against Taiwanese\r\ngovernment, non-government and corporate targets. Taiwan also happens to be home to some of the\r\nelectronics, semiconductor, and military technology that China desperately wants to get its hands on.”\r\nBloomberg on smokescreen cyberattack targeting the CPC Corporation\r\nAttack Attribution\r\nAnalysis of the attacker C2 domain, the Quasar backdoor malware, and the attacker behavior used in the attacks\r\nhas led to a high degree of confidence in attributing the attacks to a Chinese threat actor. In the second wave of\r\nattacks observed by CyCraft, there is a medium degree of confidence in the attribution of APT10 — a China-based\r\nthreat group.\r\nGet CyCraft Technology Corp’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe objective of these attacks does not appear to have solely been financial gain but rather the exfiltration\r\nof brokerage information, the scraping of high-value PII data, damaging the reputation of Taiwan financial\r\ninstitutions, and the disruption of investor confidence during a period of economic growth for Taiwan.\r\nOne of the many attack techniques utilized by APT10 was the new technique “Reflective Code Loading”, which\r\nwas incorporated into the MITRE ATT\u0026CK framework just last October.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525\r\nPage 3 of 6\n\nCyberTotal Cyber Threat Intelligence Platform Detecting APT10 Activity\r\nABOUT APT10\r\nThis Advanced Persistent Threat (APT), known as APT10 by MITRE ATT\u0026CK nomenclature, has been active\r\nsince at least 2006. Common targets of APT10 include healthcare, defense, finance, maritime, biotechnology,\r\nenergy, and governmental organizations, with an emphasis on targets in Japan and Taiwan. APT10 is believed to\r\nbe associated with the Chinese Intelligence Agency, the Ministry of State Security (MSS).\r\nIn 2018, the U.S. Department of Justice charged two members of APT10, Zhu Hua and Zhang Jianguo, with\r\nconspiracy to commit computer intrusions, conspiracy to commit wire fraud, and aggravated identity theft. The\r\nDepartment of Justice charges that these individuals acted in association with the Tianjin State Security Bureau\r\nand had been engaging in global computer intrusions for more than a decade.\r\nThree-Day Incident Response\r\nThe fast, accurate, and thorough response of CyCraft’s three-day IR investigation is due to their autonomous ML-driven security technology. CyCraft cybersecurity solutions specialize in automated malicious behavior detection\r\nand response and are capable of continuously monitoring and managing the cyber situation of even large-scale\r\nenterprises with hundreds of thousands of endpoints.\r\n“CyCraft strives for human-AI collaboration in cybersecurity. All our solutions — from our dark web\r\nintelligence fusion platform, RiskINT, to our endpoint detection and response Xensor agent — are\r\ndriven by our CyCraft AI Virtual Analyst as well as our team of seasoned human professionals. Not only\r\nis the security and safety of the entire CyCraft customer community and their data important to us, but\r\nso is creating a frictionless and intuitive user experience that puts all our customers’ cybersecurity\r\nconcerns at ease. Our technology is complicated; our service isn’t.”\r\n— PK Tsung, CyCraft Co-Founder \u0026 CSO\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525\r\nPage 4 of 6\n\nPK Tsung, CyCraft Co-Founder \u0026 CSO\r\nAbout CyCraft\r\nCyCraft secures government agencies, financial institutions, semiconductor manufacturing, police and defense\r\norganizations, Fortune Global 500 firms, airlines, telecommunications, SMEs, and more by being Fast / Accurate\r\n/ Simple / Thorough.\r\nCyCraft automates information security protection with built-in advanced managed detection and response\r\n(MDR), global cyber threat intelligence (CTI), smart threat intelligence gateways (TIG), network detection and\r\nresponse (NDR), security operations center (SOC) operations software, auto-generated incident response (IR)\r\nreports, enterprise-wide Health Check (Compromise Assessment, CA), and Secure From Home services. CyCraft\r\nalso collaborates with other cybersecurity organizations, including the International Forum of Incident Response\r\n\u0026 Security Teams (FIRST) and the Taiwan Cybersecurity Center of Excellence (CCoE).\r\nMeet your modern cyber defense needs by engaging CyCraft at engage@cycraft.com\r\nEngage with CyCraft\r\nBlog | LinkedIn | Twitter | Facebook | CyCraft\r\nContacts\r\nDr. Benson Wu\r\nCo-Founder \u0026 CEO, CyCraft Technology\r\nbenson.wu@cycraft.com\r\nhttps://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525\r\nPage 5 of 6\n\nChad Duffy\r\nVP of Strategy, CyCraft Technology\r\nchad.duffy@cycraft.com\r\nSource: https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525\r\nhttps://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/cycraft/china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525" ], "report_names": [ "china-implicated-in-prolonged-supply-chain-attack-targeting-taiwan-financial-sector-264b6a1c3525" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f88b16bc-df4b-48e7-ae35-f4117240ff24", "created_at": "2022-10-25T15:50:23.556699Z", "updated_at": "2026-04-10T02:00:05.312313Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Chimera" ], "source_name": "MITRE:Chimera", "tools": [ "PsExec", "esentutl", "Mimikatz", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "3da47784-d268-47eb-9a0d-ce25fdc605c0", "created_at": "2025-08-07T02:03:24.692797Z", "updated_at": "2026-04-10T02:00:03.72967Z", "deleted_at": null, "main_name": "BRONZE VAPOR", "aliases": [ "Chimera ", "DEV-0039 ", "Thorium ", "Tumbleweed Typhoon " ], "source_name": "Secureworks:BRONZE VAPOR", "tools": [ "Acehash", "CloudDrop", "Cobalt Strike", "Mimikatz", "STOCKPIPE", "Sharphound", "Watercycle" ], "source_id": "Secureworks", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434728, "ts_updated_at": 1775792185, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e3ee3e27893b664edf63ddfd4b6a3436e5e3e8a.pdf", "text": "https://archive.orkl.eu/5e3ee3e27893b664edf63ddfd4b6a3436e5e3e8a.txt", "img": "https://archive.orkl.eu/5e3ee3e27893b664edf63ddfd4b6a3436e5e3e8a.jpg" } }