Threat hunters have identified a new threat actor, UAT-5918, that has been targeting critical infrastructure organizations in Taiwan since at least 2023.
According to Cisco Talos researchers Jungsoo An, Asheer Malhotra, Brandon White, and Vitor Ventura, UAT-5918 appears to be motivated by the goal of establishing long-term access for information theft. The group employs a mix of web shells and open-source tools to carry out post-compromise activities, enabling them to maintain persistent access within victim environments for credential harvesting and further data exfiltration.
Targeted Sectors
Beyond critical infrastructure, UAT-5918 has also directed its attacks toward other sectors, including information technology, telecommunications, academia, and healthcare.
Tactics and Techniques
Classified as an advanced persistent threat (APT) group, UAT-5918 exhibits tactical similarities with several known Chinese hacking teams such as Volt Typhoon, Flax Typhoon, Tropic Trooper, Earth Estries, and Dalbit.
The group’s attack chain begins by exploiting known (N-day) vulnerabilities in unpatched web and application servers that are accessible over the internet. Once initial access is secured, the attackers deploy various open-source tools to perform network reconnaissance, collect system information, and facilitate lateral movement across the compromised network.
For post-exploitation activities, UAT-5918 leverages tools like Fast Reverse Proxy (FRP) and Neo-reGeorge to create reverse proxy tunnels, allowing remote access to compromised endpoints through attacker-controlled hosts. Additionally, the threat actor makes use of credential harvesting utilities such as Mimikatz, LaZagne, and a browser-based extractor known as BrowserDataLite. The latter is designed to steal login credentials, cookies, and browsing history, which then enables the attackers to penetrate deeper into the target network via protocols like RDP, WMIC, or Impact.
Other malicious tools in their arsenal include the Chopper web shell, Crowdoor, and SparrowDoor—both of which have been previously associated with the Earth Estries group. The attackers also systematically enumerate local and shared drives to locate valuable data for exfiltration.
Summary
The researchers conclude that UAT-5918’s post-compromise operations are largely manual and primarily focused on information theft. Their activities include the deployment of web shells across subdomains and internet-facing servers, creating multiple entry points into victim networks.
This comprehensive approach underscores the advanced and persistent nature of UAT-5918’s threat, highlighting the need for enhanced security measures across the targeted sectors.
