{
	"id": "3f8dab6f-eb17-4539-966a-e0dad4420f32",
	"created_at": "2026-04-06T00:11:17.988236Z",
	"updated_at": "2026-04-10T03:21:18.497623Z",
	"deleted_at": null,
	"sha1_hash": "62b31028930669c8edb852457314ad2aa6b3a521",
	"title": "China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3148785,
	"plain_text": "China-Linked Threat Group Targets Taiwan Critical\r\nInfrastructure, Smokescreen Ransomware\r\nBy CyCraft Technology Corp\r\nPublished: 2022-06-10 · Archived: 2026-04-05 19:40:59 UTC\r\nPress enter or click to view image in full size\r\nThe worldwide pandemic did not slow down malicious cyber activity; it fueled it. As early as February 2020, we\r\nbegan observing an increase in malicious activity. In April, one of the largest cyber attacks targeting Taiwan in\r\n2020 was the targeted attack on the CPC Corporation — a state-owned petroleum, natural gas, and gasoline\r\ncompany and the largest gasoline supplier in Taiwan with roughly 25% of the gas stations on the island nation.\r\nCPC Corporation wasn’t alone; ten more organizations in critical infrastructure were also targeted for attack that\r\nexact same weekend.\r\nFor a full forensic breakdown of the ColdLock ransomware, CobaltStrike backdoor, other\r\nemployed malware, as well as the overall attack, read our full report on the May 4 cyber attack\r\ntargeting Taiwan’s critical infrastructure.\r\nIncident Overview\r\nOn May 4, multiple CPC (台灣中油股份有限公司) gas stations across Taiwan suddenly became unable to accept\r\npayment by CPC VIP cards or electronic transaction apps. Customers had to pay in cash or by credit card until the\r\npayment system was up again.\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 1 of 12\n\nPress enter or click to view image in full size\r\nFig. A — https://www.ithome.com.tw/news/137384\r\nIn the beginning, the state-run CPC denied allegations of being hacked and having their systems compromised. In\r\ntruth, the CPC had been the victim of a targeted ColdLock ransomware attack.\r\nOn May 15, (ten days after the CPC incident), the Investigation Bureau of the Ministry of Justice (MJIB) released\r\nan investigation report stating that the CPC was one of more than ten victims in this sophisticated and organized\r\nColdLock ransomware attack. The unnamed ten included other organizations in Taiwan’s critical infrastructure,\r\neven a large multinational semiconductor vendor.\r\nPress enter or click to view image in full size\r\nFig. B — https://www.mjib.gov.tw/news/Details/1/607\r\nCPC Corporation is not our customer; however, we were involved in investigations regarding other critical\r\ninfrastructure (CI) victims of the attack’s unnamed ten.\r\nThis successful, sophisticated attack targeted CI on a national scale, denied service across the country, interrupted\r\nthe daily life of the common citizen, and brought brief but significant economic turmoil.\r\nIncident Timeline\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 2 of 12\n\nThis timeline was constructed by combining the findings from our own investigation and an analysis of the threat\r\nintelligence presented in the MJIB report.\r\nPress enter or click to view image in full size\r\nFig. C — CPC Incident Timeline\r\nPrior to April 26 — The attackers gain initial access and escalate privileges. They have decided (or planned) to\r\nwait before acting on their objectives.\r\nApril 26 — The attackers initiate their attack just before midnight.\r\nApril 27 — The first backdoor is installed.\r\nApril 28 \u0026 30 — While the attackers were not directly active in the victim’s environment on these days, GPO\r\nwas leveraged by the attackers to automate the distribution of the ransomware throughout the entire system from\r\nApril 28 to the day of the attack.\r\nApril 29 — The second backdoor is installed under a different file with the same name but with a different hash.\r\nThis second backdoor becomes the main backdoor used in the operation.\r\nMay 1 to 3 — Extended holiday weekends, like the Labor Day holiday weekend, are generally considered an\r\nideal time for cyberattacks as most technicians or security analysts would be on vacation, increasing both\r\ndetection and response time. The Labor Day holiday weekend was, unfortunately, an ideal time for GPO to\r\nautomate the distribution of the ransomware throughout the entire system, maximizing the number of affected\r\nendpoints for the day of the attack.\r\nMay 4 — CPC initially claims a mere system crash; however, as talks of ransomware quickly begin to surface,\r\nCPC admits to being victim to a ransomware attack. As CPC is considered critical infrastructure for the country,\r\ncitizens are gravely concerned about the CPC attack. However, unbeknown to the general public, several other\r\norganizations had been targeted as well.\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 3 of 12\n\nMay 4 to 6 — The attackers launch attacks against their other intended targets one after another. Their attack\r\nprocedure remains the same; backdoors are installed before midnight, GPO distributes the ransomware throughout\r\nthe targeted system, and the ransomware begins encrypting and deleting data just after 12 noon of the following\r\nday.\r\nMay 6 — Chunghwa Telecom announces it has been breached and releases IoCs and other relevant threat\r\nintelligence. Chunghwa Telecom is the largest telecommunications company and the incumbent local exchange\r\ncarrier of PSTN, Mobile, and broadband services in Taiwan. Their report is the first report of this operation that\r\ncontained IOCs, which were later used to attribute the same threat actor for the attacks on Chunghwa Telecom,\r\nCPC, and our customer.\r\nMay 7 — The malware has been contained and eradicated; the CPC system begins operations without further\r\nincident. Our future customer, who had not yet contacted us, follows their post-intrusion playbook policies and\r\nbegins performing clean reinstalls on all their endpoints.\r\nMay 15 — The MJIB issues both a press release and threat intelligence report of the CPC attack.\r\nSystem-Level Threat Hunting\r\nThe initial automated environment scan of our customer’s environment, which consisted of 7 thousand endpoints\r\nand 382.9 million files, immediately identified 4 suspicious endpoints and 3 suspicious files as a severe threat to\r\nthe environment. Level 10 threats (as were these) are considered by the CyCraft AIR platform as the most\r\nmalicious threats an environment could possibly face.\r\nAll information in this blog and our report has gone through de-identification and anonymization.\r\nPress enter or click to view image in full size\r\nFig. D — Screenshot of CyCraft AIR’s automated report of our customer’s environment —\r\nallowing our human security analyst teams to then focus and drill down into specific queries. All\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 4 of 12\n\ninformation in this blog and our report has gone through de-identification and anonymization.\r\nFindings\r\nFor a full forensic breakdown of the ColdLock ransomware, CobaltStrike backdoor, other\r\nemployed malware, as well as the overall attack, read our full report on the May 4 cyber attack\r\ntargeting Taiwan’s critical infrastructure.\r\nBy referencing the published threat intelligence from both Chunghwa Telecom and the MJIB with the intelligence\r\nfrom our own investigation, we concluded that our customer was also targeted by the same threat actors behind\r\nboth the CPC and Chunghwa Telecom attacks.\r\nWhen our investigation began, all AD servers had already had a clean reinstall of their OS; however, three system\r\nadmin endpoints (JOHN706_NB, MIS201_NB, MIS312_NB) still contained artifacts, including backdoors that\r\nwere still connected to malicious C2 servers (64[.]64.234.24 and 104[.]233.224.227).\r\nPress enter or click to view image in full size\r\nFig. E — CyCraft AIR Cyber Situation Graph\r\nThe backdoor malware (CDPSSVC.DLL) discovered in the system admin endpoint had the exact same hash as the\r\none in the Chunghwa Telecom IoC Report.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 5 of 12\n\nFig. F — CyCraft AIR screenshot of known malware found on customer endpoint\r\nThe two IP addresses (64[.]64.234.24 and 104[.]233.224.227) were also both listed as malicious C2 servers in the\r\nChunghwa Telecom IoC Report.\r\nFurther investigation into the system admin endpoint, MIS201_NB, revealed CobaltStrike Beacon malware that\r\nhad both identical malware hashes and C2 addresses as those listed in the Chunghwa Telecom.\r\nActions on Objectives\r\nThe attackers had gained high-privileged access into the target system at least one week prior to the attack;\r\nhowever, there is a strong likelihood the target system had been compromised even months before May 4.\r\nGet CyCraft Technology Corp’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe attackers had scheduled the backdoor malware, dewm.exe and qwins5.exe, to be installed on the system\r\nadmin endpoints at precisely 11:46 p.m. on April 26 and 12:00 a.m. on April 27.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 6 of 12\n\nFig. G — CyCraft AIR cyber situation graph of malicious (pink) processes. Notice the time stamp\r\non each malicious process.\r\n73 minutes later, at 1:01 a.m. on April 27, the attackers acted again and installed the main backdoor program\r\n(CDPSSVC.DLL) onto the system admin endpoint. Fig. H shows that in addition to install.bat, the attackers also\r\nissued several more commands. Unfortunately, only CDPSSVC.DLL remained on the endpoint we investigated as\r\nthe other files had been removed by the previously mentioned clean reinstall.\r\nPress enter or click to view image in full size\r\nFig. H — CyCraft AIR cyber situation graph — endpoint process tree\r\nIn this process tree (Fig. H), the attackers use “reg add” to add a registry in the services called CDPSsvc and\r\ninstall service by the “sc create” command.\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 7 of 12\n\nPress enter or click to view image in full size\r\nFig. J — CyCraft AIR cyber situation graph — endpoint process tree\r\nIt’s important to note that the backdoor malware and the ransomware are separate. A few moments after installing\r\nthe main backdoor malware, at 1:01 a.m. on Monday, April 27, the attackers used the GPO to distribute the\r\nransomware throughout the entire system over the next three business days and the 3-day Labor Day weekend.\r\nThe ransomware then laid dormant and activated on Tuesday, May 5.\r\nPress enter or click to view image in full size\r\nFig. K — lc.tmp PowerShell attacks executing CodeLock ransomware\r\nAlthough the ransomware started execution when the host endpoint was booted up on May 4, the ransomware\r\nwaited until 12:10 p.m. (Tuesday, May 5) to begin encrypting files and destroying data. There are several reasons\r\nfor this scheduled delay: it would be difficult for engineers and security analysts to respond immediately at this\r\ntime, and it was the second day back after a long weekend.\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 8 of 12\n\nPress enter or click to view image in full size\r\nFig. L — Encryption and Deletion did not begin until 12:10 in the afternoon.\r\nA closer look into the malware revealed this particular variant of ColdLock had removed all the payment\r\ninformation, contact email, and the RSA public key. This indicates that no information could be provided for\r\ndecryption.\r\nFor a full forensic breakdown of the ColdLock ransomware, CobaltStrike backdoor, other\r\nemployed malware, as well as the overall attack, read our full report on the May 4 cyber attack\r\ntargeting Taiwan’s critical infrastructure.\r\nRansomware-as-a-Smokescreen\r\nRansomware incidents have dramatically increased in frequency, severity, and complexity ever since the release of\r\nBitcoin in 2009 as well as the numerous other cryptocurrencies that followed. This consistent and dramatic rise\r\nsuggests that ransomware does work and attackers do get paid.\r\nHowever, ransomware’s increase in media and academic coverage has led to a relatively recent development.\r\nRansomware has become notorious enough that attackers have now begun to weaponize the fear of ransomware,\r\nemploying ransomware as a smokescreen for other malicious intents.\r\nIn terms of this particular incident, the existence of various versions of this particular ransomware on VirusTotal\r\n(VT) and the lack of decrypting messages suggest that the attackers had no intention of providing their victims a\r\nmeans of decrypting their encrypted files — yet another reason why many cybersecurity vendors strongly\r\nrecommend against paying ransomware.\r\nIn addition to the lack of sophistication in the malware used in this attack, specific attacker behavior proved\r\ninconsistent with observed behavior in previous ransomware attacks, such as the decision to not delete volume\r\nshadow copies, as doing so would dramatically increase the possibility of recovery.\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 9 of 12\n\nAs this attack was also launched just one week before Taiwan’s presidential inauguration, targeted multiple\r\norganizations in multiple industries, used a lack of sophisticated ransomware, displayed non-optimal attacker\r\nbehavior, and was attributed to China-linked threat groups by the FBI, the MJIB, and us, it becomes increasingly\r\nmore likely that the end objective of this attack was not financial gain but political deterrence.\r\nThe ransomware was just a smokescreen used to confuse and delay investigators. The attackers had weaponized\r\nthe fear of ransomware to deceive defenders and achieve their end objectives.\r\nMITRE ATT\u0026CKⓇ Adversarial Technique Mapping\r\nExecution\r\nT1047 Windows Management Instrumentation\r\nT1053.002 Scheduled Task/Job: At (Windows)\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1106 Native API\r\nPersistence\r\nT1053.002 Scheduled Task/Job: At (Windows)\r\nT1543.003 Create or Modify System Process: Windows Service\r\nPrivilege Escalation\r\nT1053.002 Scheduled Task/Job: At (Windows)\r\nT1484 Group Policy Modification\r\nT1543.003 Create or Modify System Process: Windows Service\r\nDefense Evasion\r\nT1070.004 Indicator Removal on Host: File Deletion\r\nT1070.006 Indicator Removal on Host: Timestomp\r\nT1484 Group Policy Modification\r\nT1497.003 Virtualization/Sandbox Evasion: Time Based Evasion\r\nT1562.001 Impair Defenses: Disable or Modify Tools\r\nDiscovery\r\nT1007 System Service Discovery\r\nT1033 System Owner/User Discovery\r\nT1049 System Network Connections Discovery\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery\r\nT1497.003 Virtualization/Sandbox Evasion: Time Based Evasion\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 10 of 12\n\nImpact\r\nT1486 Data Encrypted for Impact\r\nT1489 Service Stop\r\nFor a full forensic breakdown of the ColdLock ransomware, CobaltStrike backdoor, other\r\nemployed malware, as well as the overall attack, read our full report on the May 4 cyber attack\r\ntargeting Taiwan’s critical infrastructure.\r\nEverything Starts From Security\r\nCyCraft Customers can prevent cyber intrusions from escalating into business-altering incidents. From endpoint to\r\nnetwork, from investigation to blocking, from in-house to cloud, CyCraft AIR covers all aspects required to\r\nprovide small, medium, and large organizations with the proactive, intelligent, and adaptable security solutions\r\nneeded to defend from all manner of modern security threats with real-time protection and visibility across the\r\norganization.\r\nEngage with CyCraft\r\nBlog | LinkedIn | Twitter | Facebook | YouTube | CyCraft\r\nPress enter or click to view image in full size\r\nCyCraft secures government agencies, police and defense organizations, Fortune Global 500 firms, top banks and\r\nfinancial institutions, critical infrastructure, airlines, telecommunications, hi-tech firms, SMEs, and more by being\r\nFast / Accurate / Simple / Thorough.\r\nCyCraft powers SOCs using innovative AI-driven technology to automate information security protection with\r\nbuilt-in advanced managed detection and response (MDR), global cyber threat intelligence (CTI), smart threat\r\nintelligence gateway (TIG) and network detection and response (NDR), security operations center (SOC)\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 11 of 12\n\noperations software, auto-generated incident response (IR) reports, enterprise-wide Health Check (Compromise\r\nAssessment, CA), and Secure From Home services. Everything Starts From Security.\r\nMeet your cyber defense needs in the 2020s by engaging with CyCraft at engage@cycraft.com\r\nAdditional Resources\r\nRead our latest white paper to learn what threat actors target Taiwan, their motivations \u0026 how Taiwan\r\norganizations retain resilience against some of the most sophisticated and aggressive cyber attacks in the\r\nworld.\r\nIs your SOC prepared for the next decade of cyber attacks? Read our latest report on building effective\r\nSOCs in the 2020s, the challenges to overcome, and the stressors to avoid — includes research from\r\nGartner, Inc. on why Midsize enterprises are embracing MDR providers.\r\nNew to the MITRE Engenuity ATT\u0026CK Evaluations? START HERE for a fast, accurate, simple, thorough\r\nintroductory guide to understanding the results.\r\nOur CyCraft AIR security platform achieved 96.15% Signal-to-Noise Ratio with zero configuration\r\nchanges and zero delayed detections straight out-of-the-box.\r\nSource: https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nhttps://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5"
	],
	"report_names": [
		"china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5"
	],
	"threat_actors": [],
	"ts_created_at": 1775434277,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/62b31028930669c8edb852457314ad2aa6b3a521.pdf",
		"text": "https://archive.orkl.eu/62b31028930669c8edb852457314ad2aa6b3a521.txt",
		"img": "https://archive.orkl.eu/62b31028930669c8edb852457314ad2aa6b3a521.jpg"
	}
}