Security researchers have identified a threat cluster targeting businesses in Taiwan’s military supply chain.
TIDRONE, identified by researchers at Trend Micro, is “an unidentified threat actor linked to Chinese-speaking groups.” TIDRONE appears to be targeting companies in the military and space sectors, with a focus on drone makers.
Trend Micro first started tracking incidents from the threat cluster at the beginning of this year. The group appears to be using enterprise resource planning (ERP) and remote desktop software to deploy malware.
Researchers identified two malware payloads, CXCLNT and CLNTEND. CXCLNT can upload and download files, and collect information on victims’ IT systems. CLNTEND is a remote access tool first discovered in April.
Although the malware associated with TIDRONE was first reported in Korea in 2022, and again in Canada in 2023, the group targeted payment services in Taiwan in March this year. Subsequently, Trend Micro observed that the group was targeting Taiwan’s military industry between April and July. In July and August, the group appeared to switch to the satellite industry.
Trend Micro researchers also believe that the malware is now deployed, and infiltration is now at the lateral move stage. Researchers found that a number of victims use the same ERP software, opening up the possibility that TIDRONE is using a supply chain attack to gain access to their systems.
Read more about supply chain attacks: Software Supply Chain Attacks Hit 61% of Firms
Trend Micro analysts believe that TIDRONE is a Chinese-speaking threat group. This is based on file compilation times and the threat actor’s operation times, and is supported by the targeted nature of the attack.
“The focus on military-related industry chains, particularly in the manufacturers of drones, suggests an espionage motive, given the sensitive data these entities typically hold,” the researchers wrote.
Taiwan has faced a growing number of cyber-attacks and “grey zone” activity as tensions have grown with China. Earlier this year security researchers at Recorded Future identified RedJuliett as targeting academic, government, think tanks and technology organizations on the island.
Consulting firm Booz Allen Hamilton produced a detailed report earlier this year, setting out how the People’s Republic of China is using cyber power against Taiwan.