Cybersecurity researchers at Trend Micro have uncovered a previously unknown hacker group named Tidrone, believed to be linked to China. This group has been actively targeting Taiwan’s military and satellite industries, with a particular focus on drone manufacturers. The discovery highlights the ongoing cyber threats faced by Taiwan’s defense sector and underscores the importance of robust cybersecurity measures.
Tidrone’s Modus Operandi
While the initial infection vector remains unclear, Trend Micro’s analysis reveals that Tidrone employs a sophisticated multi-stage attack strategy. After gaining initial access, the hackers deploy custom malware, namely CXCLNT and CLNTEND, using remote desktop tools such as UltraVNC. The subsequent stages of the attack involve:
- Privilege escalation by bypassing User Account Control (UAC)
- Credential theft
- Disabling antivirus products to evade detection
Both CXCLNT and CLNTEND backdoors are initiated through DLL sideloading via Microsoft Word, enabling the attackers to gather a wide range of sensitive information.
Advanced Malware Capabilities
The CXCLNT malware is equipped with several key features:
- File upload and download capabilities
- Trace removal functions
- Victim information gathering (file lists, computer names, etc.)
- Ability to load PE and DLL files for subsequent attack stages
CLNTEND, first observed in April 2024, is a Remote Access Trojan (RAT) that supports a wide range of network protocols for communication, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).
Operation WordDrone: A Parallel Investigation
Shortly after Trend Micro’s report, researchers at Acronis published their findings on the same malicious activity, which they dubbed “Operation WordDrone.” Their investigation revealed that the attacks occurred between April and July 2024. Acronis noted that the group employs the Blindside attack technique to evade detection before deploying CLNTEND (also known as ClientEndPoint).
Implications for Taiwan’s Defense Industry
Taiwan’s strong technological base and its alliance with the United States make it a prime target for actors interested in military espionage or supply chain attacks. With approximately a dozen companies involved in drone production for OEM manufacturers and an even larger aerospace industry, the country faces significant cybersecurity challenges.
This recent discovery of Tidrone’s activities serves as a stark reminder of the persistent and evolving cyber threats targeting critical industries. It underscores the need for heightened cybersecurity measures, particularly in sectors related to national defense and advanced technologies. Organizations in these industries must remain vigilant, continuously update their security protocols, and foster international cooperation to combat such sophisticated cyber espionage campaigns.
