Hackers Break into Taiwan’s Web Servers

Web servers in Taiwan were recently attacked by a group of hackers known as UAT-7237. These hackers speak Chinese and have been active since at least 2022. Their goal is not just to break in, but to stay hidden inside computer systems for a long time.

Experts believe UAT-7237 is part of another larger hacker group called UAT-5918, which has been targeting Taiwan’s important systems since 2023.

What makes UAT-7237 different is the way they work. Instead of creating brand-new programs, they take hacking tools that are free on the internet and change them slightly. This makes it harder for security systems to spot them. They usually start by looking for old servers that have not been updated and are easy to attack. After breaking in, they carefully check if the system is valuable enough to target.

The Special Tools Used by Hackers

One of the main tools used by the hackers is called SoundBill. This tool hides inside the computer and secretly loads other dangerous programs. It is often used to install Cobalt Strike, a program that hackers use to create secret connections inside the attacked system.

Other hacker groups usually place hidden files called web shells right after they break in. But UAT-7237 does things differently. They use a program called SoftEther VPN to keep a safe way in, and later they use Remote Desktop Protocol (RDP) to control the system. This makes their attack less obvious in the beginning.

After getting inside, the hackers spread to other computers in the same company or office. They use SoundBill and then add more tools like JuicyPotato, which gives them more power inside Windows computers, and Mimikatz, which steals usernames and passwords.

How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?

In some cases, the hackers used a newer version of SoundBill that already includes Mimikatz. This means they can steal passwords at the same time they are breaking in, making the attack faster and harder to stop.

The hackers also use a program called FScan to look for weak computers on the same network. They even change settings in Windows to make it easier to run their attacks without being blocked. For example, they try to turn off User Account Control (UAC) and allow the computer to store passwords in simple text.

One small but important clue showed the hackers’ background. In their VPN program, the default language was set to Simplified Chinese, which suggests the hackers are Chinese-speaking.

Another Dangerous Malware Found

At the same time as this discovery, another piece of malware called FireWood was found. This malware is linked to a different Chinese hacking group known as Gelsemium.

FireWood can hide itself very well. It uses a secret program inside the computer’s core system, called a kernel driver module, to stay invisible. Once it is active, hackers can send commands from their own servers and make the infected computer do what they want.

Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?

The new version of FireWood works mostly the same as before, but some small parts of it have changed. Researchers are still not sure if the hidden kernel driver has also been updated.

These findings show that advanced hacking groups are using smart tricks, like changing free hacking tools, stealing passwords, and creating secret backdoors, to attack Taiwan’s systems. Because they stay hidden for a long time, these attacks are very difficult to stop.