Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Geo Focus: Asia
UAT-5918 Breaches Taiwan’s Critical Sectors Using N-Day Flaws for Cyberespionage
Hackers with ties to China-based hacking groups are breaching Taiwan’s critical infrastructure by exploiting unpatched web and application servers as entry points for a cyberespionage campaign, researchers said.
See Also: Top 10 Technical Predictions for 2025
Cisco Talos threat hunters identified a new threat actor, they tracked as UAT-5918, targeting Taiwan’s critical infrastructure since at least 2023.
Researchers identified the group using tactics, techniques, procedures and target selection overlaps with Chinese state-backed groups such as Volt Typhoon and Flax Typhoon. The group also targeted sectors including information technology, telecommunications, academia and healthcare.
UAT-5918 infiltrates networks by compromising N-day vulnerabilities in unpatched web and application servers. The group then installs open-source tools to survey the network, collect system details and navigate laterally across devices.
To maintain access, UAT-5918 uses fast reverse proxy and Neo-reGeorg, establishing reverse proxy tunnels that enable remote control of compromised endpoints through attacker-operated hosts.
Many of the tools employed for credential and data theft are also associated with Volt Typhoon and Flax Typhoon, both notorious for espionage activities. Cisco Talos further uncovered possible links between UAT-5918 and other China-based threat actors, including FamousSparrow and Earth Estries.
UAT-5918 employs a range of credential-harvesting tools, including Mimikatz, LaZagne and BrowserDataLite, to extract login credentials and deepen its foothold in compromised networks. The group expands its access using RDP, WMIC and Impacket, enabling further infiltration.
The attackers also deploy Chopper web shell, Crowdoor and SparrowDoor – the latter two previously linked to Earth Estries – to maintain persistence. BrowserDataLite, in particular, is designed to steal login credentials, cookies and browsing history from web browsers. The group also conducts systematic data theft, scanning both local and shared drives for valuable information.
The FBI in January disrupted Volt Typhoon for infiltrating critical infrastructure networks in the United States and Guam. The operation involved court-approved actions to remotely disable malicious web shells that the hackers had planted on vulnerable routers and network devices. The FBI worked with private-sector partners to neutralize the threat before the attackers could use their access for espionage or sabotage (See: Here’s How the FBI Stopped a Major Chinese Hacking Campaign).
Members of the House Homeland Security Committee this week initiated an oversight investigation into the federal government’s handling of cyber intrusions by Volt Typhoon and Salt Typhoon. They expressed concerns over the previous administration’s lack of transparency and delayed responses to the threats, which compromised U.S. critical infrastructure sectors such as energy, water, transportation and communications.
According to Cisco Talos researchers, UAT-5918’s operations suggest that “the post-compromise activity is done manually with the main goal being information theft.”