UAT-5918 ATP Group Targets Critical Taiwan with Sophisticated Cyberattacks
Cisco Talos has uncovered a highly sophisticated threat actor, known as UAT-5918, which has been actively targeting critical infrastructure in Taiwan since 2023. This Advanced Persistent Threat (APT) group employs advanced web shells and open-source tools to maintain persistence, steal sensitive information, and compromise network credentials.
The UAT-5918 APT group uses a combination of tactics, techniques, and procedures (TTPs) to achieve its goals, including exploiting unpatched servers for long-term access. The group manually conducts post-compromise activities, leveraging open-source tools such as Mimikatz, Fast Reverse Proxy (FRP), and Impacket for lateral movement via RDP and PowerShell remoting.
The researchers have linked the UAT-5918 APT group to China due to overlapping TTPs with multiple Chinese APT groups, including Volt Typhoon, Flax Typhoon, and Dalbit. The report published by Talos notes that "there is a significant overlap in post-compromise tooling and TTPs with Volt Typhoon, such as using ping and tools like In-Swor for network discovery; gathering system information such as drive and partition; gathering logical drive information such as names, IDs, size, and free spaces; credential dumping from web browser applications; using open-source tools such as frp, Earthworm, and Impacket for establishing control channels; and the absence of custom-made malware."
The UAT-5918 APT group shares tooling and tactics with Chinese APT groups Tropic Trooper, Earth Estries, and Dalbit, using tools like FRP, FScan, Impacket, and web shells. However, the group also employs unique tools such as LaZagne, SNetCracker, and PortBrute, which haven't been publicly linked to other groups, suggesting either exclusive use or undisclosed associations.
The threat actor uses FRP and Neo-reGeorge to establish reverse proxy tunnels, maintaining access to compromised endpoints via attacker-controlled remote hosts. The researchers noticed that tools are usually downloaded as archives and extracted before execution.
Target Sectors
The UAT-5918 APT group mainly targets Taiwan's telecom, healthcare, IT, and critical infrastructure sectors. The group maintains persistent access by deploying ASP and PHP web shells deep in system directories and using JuicyPotato for privilege escalation.
They create backdoored admin accounts and steal credentials via Mimikatz, LaZagne, and registry dumps. The group pivots within networks using RDP, Impacket, and brute-force tools like SNETCracker. They stage and exfiltrate data, including confidential files and database backups, using SQLCMD.
IOCs Published
Talos researchers have published Indicators of Compromise (IOCs) on their GitHub repository, providing a valuable resource for organizations to detect and respond to the UAT-5918 APT group's activities.
Stay up-to-date with the latest cybersecurity news and threats by following me on Twitter: @securityaffairs and Facebook and Mastodon.
Latest Developments
This article will be updated as more information becomes available about the UAT-5918 APT group. In the meantime, please keep an eye out for any suspicious activity and consider reaching out to your IT department or cybersecurity team if you have any concerns.