Attackers bypass antiviruses and quietly gain top-secret access.
An unknown cyber group, which probably has ties to Chinese-speaking hacker groups, began actively attacking Taiwanese drone manufacturers in 2024. According to Trend Micro, the threat is tracked under the name TIDRONE, and its main target is industrial espionage aimed at the supply chains of military equipment.
The exact way to penetrate the companies' systems has not yet been established, but researchers have identified the use of CXCLNT and CLNTEND malware. Both are distributed through remote desktop management tools such as UltraVNC, among others.
A common feature among all victims was the presence of the same enterprise resource planning (ERP) software, suggesting a possible supply chain attack.
Cyberattacks as part of Operation TIDRONE typically occur in three phases aimed at:
1. Elevation of privilege vulnerability in User Account Control (UAC));
2. Obtaining account data;
3. Disabling antiviruses on infected devices.
Malware is launched by loading a malicious DLL using Microsoft Word, which gives attackers access to confidential information.
CXCLNT is capable of uploading and downloading files, erasing traces of its activity, collecting system information, and launching subsequent stages of the attack. In turn, CLNTEND, first discovered in April 2024, is more powerful and supports multiple network protocols, including TCP, HTTP, HTTPS, and SMB.
Researchers Pierre Lee and Vicki Su of Trend Micro note that the coincidence of the time of the compilation of files and the time of activity of the cyber group with previous cases of espionage confirms its connection with certain Chinese-speaking hacker groups.
This incident highlights the vulnerability of supply chains, especially in sectors related to military equipment.
Source
An unknown cyber group, which probably has ties to Chinese-speaking hacker groups, began actively attacking Taiwanese drone manufacturers in 2024. According to Trend Micro, the threat is tracked under the name TIDRONE, and its main target is industrial espionage aimed at the supply chains of military equipment.
The exact way to penetrate the companies' systems has not yet been established, but researchers have identified the use of CXCLNT and CLNTEND malware. Both are distributed through remote desktop management tools such as UltraVNC, among others.
A common feature among all victims was the presence of the same enterprise resource planning (ERP) software, suggesting a possible supply chain attack.
Cyberattacks as part of Operation TIDRONE typically occur in three phases aimed at:
1. Elevation of privilege vulnerability in User Account Control (UAC));
2. Obtaining account data;
3. Disabling antiviruses on infected devices.
Malware is launched by loading a malicious DLL using Microsoft Word, which gives attackers access to confidential information.
CXCLNT is capable of uploading and downloading files, erasing traces of its activity, collecting system information, and launching subsequent stages of the attack. In turn, CLNTEND, first discovered in April 2024, is more powerful and supports multiple network protocols, including TCP, HTTP, HTTPS, and SMB.
Researchers Pierre Lee and Vicki Su of Trend Micro note that the coincidence of the time of the compilation of files and the time of activity of the cyber group with previous cases of espionage confirms its connection with certain Chinese-speaking hacker groups.
This incident highlights the vulnerability of supply chains, especially in sectors related to military equipment.
Source
