Nation-state hacker group targeting Taiwan, US, Vietnam and Pacific Islands


A previously unknown government-backed hacking group is targeting organizations in the manufacturing, IT, and biomedical sectors across Taiwan, Vietnam, the U.S. and an unnamed Pacific island, according to new research from Symantec.

The researchers are tracking the group under the name “Grayling” and said in a report released Tuesday that it is using custom-made malware as well as publicly available tools to attack its targets.

The attacks, which began in February and continued through May, stood out to researchers due to the use of distinctive hacking tools. The goal of the campaign is espionage rather than financial motives, they said.

They found attacks on several organizations in the manufacturing, IT, and biomedical sectors in Taiwan as well as an incident involving a government agency located in the pacific island. Unnamed organizations in Vietnam and the U.S. were also targeted as part of the campaign.

“There are indications that Grayling may exploit public facing infrastructure for initial access to victim machines,” Symantec said.

“The attackers take various actions once they gain initial access to victims’ computers, including escalating privileges, network scanning, and using downloaders.”

The hackers used Havoc, an open-source tool that has gained prominence among hackers as an alternative to Cobalt Strike. The tool allows hackers to download additional payloads, execute commands on victim machines, manipulate Windows tokens and more.

During the attacks, Symantec saw the hackers use a spyware tool called NetSpy and exploit a popular Windows vulnerability, tracked as CVE-2019-0803.

“While we do not see data being exfiltrated from victim machines, the activity we do see and the tools deployed point to the motivation behind this activity being intelligence gathering. The sectors the victims operate in…are also sectors that are most likely to be targeted for intelligence gathering rather than for financial reasons,” they said.

“The use of custom techniques combined with publicly available tools is typical of the activity we see from APT groups these days, with threat actors often using publicly available or living-off-the-land tools in attempts to bypass security software and help their activity stay under the radar of defenders.”

While Symantec declined to attribute the activity to a specific country, they said the “heavy targeting of Taiwanese organizations does indicate that they likely operate from a region with a strategic interest in Taiwan.”

In May, the U.S. government and Microsoft accused Chinese hackers of infiltrating critical infrastructure systems and other areas around U.S. military bases in Guam, a U.S. territory in the Pacific.

Symantec has also released multiple reports this year tracking Chinese espionage campaigns across Vietnam and other Southeast Asian nations, as well as Taiwan.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Exclusive: Inside Ukraine’s secret drone factories

Next Post

Mirai-based botnet updates ‘arsenal of exploits’ on routers, IoT devices

Related Posts

New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration

A new Rust-based information stealer malware called Fickle Stealer has been observed being delivered via multiple attack chains with the goal of harvesting sensitive information from compromised hosts. Fortinet FortiGuard Labs said it's aware of four different distribution methods -- namely VBA dropper, VBA downloader, link downloader, and executable downloader -- with some of them using a
Read More

Iranian MuddyWater Hackers Adopt New C2 Tool ‘DarkBeatC2’ in Latest Campaign

The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. "While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater’s methods remain constant," Deep
Read More