A recently discovered series of cyberattacks indicate that the industry is of malicious strategic value to adversaries of Taiwan

In a recent escalation of customer cyber incidents involving “strange behavior” of an old (2010) version of Microsoft Word, a cybersecurity firm has sniffed out a new potentially persistent threat (APT) campaign against drone manufacturers in Taiwan.

Upon investigation, it was found that a dynamic link library used by Winword.exe had been replaced with a malicious copy. The latter’s function is to ensure that the targeted version of Microsoft Word was being used; to mount an encrypted payload; to silence popular antivirus, firewall and endpoint detection and response software (blindsiding); and finally establish external command-and-control (C2) from locations based in Taiwan itself.

With C2 established, the payload could collect user and operating system information; execute shellcode; communicate with other infected machines in the network; and surreptitiously exfiltrate various types of data — such as those in remote desktop protocol logs. Notably, the malware processes were leveraging valid digital certificates to bypass various security checks in the targeted systems. Evasion techniques are also in use to wipe traces of the malware activity after execution of dozens of malicious functions.

Other investigations have traced initial infection to enterprise resource planning software (ERP) used throughout the victim organization. It is believed that the ERP software, popularly used in Taiwan, could have been compromised through a supply chain attack. Part of the compromised ERP software was found to contain CVE-2024-40521, a vulnerability with a CVSS score of 8.8.

Similar incidents involving old versions of Microsoft Word were encountered between April and July 2024, concentrated on lateral movements among machines running Windows, but also progressing to Windows servers.

According to a spokesperson from the Acronis Threat Research Unit, the people who discovered the likely-advanced persistent threat campaign, the drone industry (comprising small- to medium-sized businesses) in Taiwan has been targeted due to its global reach extending to military applications, a wealth of sensitive information that could be weaponized for espionage, and potential value in geopolitical agendas.