Intro Note: If you are technically knowledgable in cyber defence and offence, you can read the original research into the Antlion campaign from Symantec’s Threat Hunter Team; or listen to The CyberWire’s Research Saturday Podcast with Symantec. As these are technical sources, my goal is stay non-technical and offer the key takeaways for the general public; especially insight into Taiwan’s cyber defence, which is an often overlooked sort of ‘black box’. Thanks to K. Goodwin for editing assistance.
Intro to Symantec’s Research into Antlion APT
Symantec’s research focuses on a Chinese Advanced Persistent Threat (APT, a designation for a nation-state actor with long-term life capabilities inside of a victim’s infrastructure) known as Antlion.(1) Although Symantec claims to have followed Antlion since 2011, which would pre-date a stronger shift to cyber espionage under Chinese President Xi Jinping, their actions remained oblique to the general public until last year. Antlion’s objective for the campaign was espionage into Taiwanese financial and manufacturing institutions. The attacks occurred between late December 2020 throughout 2021. Antlion maintained persistence for a maximum of 250 days in one financial institution, and 175 in another. Almost a year of persistence in any system gives attackers enough time to access anything not segmented off the infected network.
For technical intrusion, Antlion used a new back door called xPack to leverage the infected networks. xPack chiefly made use of EternalBlue and file sharing technology to leverage the system, quietly copy documents off the network while loading malware to move laterally throughout the system. To make the non-technical analogy, this is an espionage group who manages to install a secret door into your house; but not only do they install a door, they set up a small copy-machine that allows them to rummage around your personal documents and copy them, all without your knowing. They also install their own security cameras, a locksmith machine to copy any new keys, and a small bed – creepy!(2)
The interesting part is Symantec was unable to identify how the APT gained access to the institutions. However, evidenced by the use of executing commands via SQL injections, Antlion likely gained access via an unpatched vulnerability. The SQL injection analogy is essentially brute forcing into the network via the basement door you did not know existed.
However, this is where I will move off the technical path. Symantec’s analysis of Antlion offers insight into the larger consequences this carries for Taiwanese cyber security. Notably, SQL Injections and EternalBlue require access to unpatched systems. SQL attacks are harder to patch for, as SQL Injection remains a common attack vector to leverage Zero-Day bugs. EternalBlue, however, does have a patch. However, EternalBlue may be exploitable on a nondescript machine in the office carrying out monotonous, forgotten processes.
The indicting vulnerability Antlion took advantage of for privilege escalation was CVE-2019-1458. As suggested by the ‘2019’ in the name, Kaspersky Lab’s identified this vulnerability in December 2019; Microsoft issued a patch on December 2019’s Patch Tuesday. Hence, since Antlion took advantage of CVE-2019-1458, the infected institutions had machines unpatched since before December 2019. One of the easiest ways to halt persistence is patching all machines — even those boring, forgotten machines — monthly on Patch Tuesday.
In Taiwan, there is general knowledge about cybersecurity. There is, however, also a large sense that someone else carries this duty. Cyber hygiene is fairly poor, to the point where people leaving their phone on the table in a café while using the restroom is a common sight. Updating phones and personal laptops is fairly hard to ignore, as Apple and Microsoft push updates hard; still not everyone does. However, institutions commonly utilise legacy software only functional on older versions of Windows which remain vulnerable to EternalBlue, among other bugs.
While the Tsai Administration, and Minister Without Portfolio Audrey Tang specifically, attempt to drive the need for updated cyber security at home, institutions and people ignore warnings. I will certainly not go as far as others do and call this ‘cultural’ — people everywhere behave like this. The difference in Taiwan, however, is that the government has written White Papers on Taiwan leading cybersecurity initiatives in the Asia-Pacific region. The National Security Bureau (NSB) among other leading institutions certainly have some of the top cyber defence capabilities. Yet, those capabilities easily go to waste if systems remain unpatched.
Taiwan should make cybersecurity, cyber hygiene specifically, more common and actively taught in schools. Globally, Password Managers with 2FA should become standard practices like seatbelts in cars or washing hands with soap. Reusing the same password might as well be forgetting to wash your hands; you will get breached soon! (Of course, that is if passwords remain in use in 20 years; a tangent for a later blog.)
What Antlion and Chinese APTs may do with exfiltrated data
The second point regards Antlion’s possible targets for exfiltration, “software pertaining to business contacts, investments, and smart card readers”. These are all fairly standard business espionage data points; except the smart card readers. First, however, consider the possible vectors of information these can provide. Business contacts might be important for simple espionage purposes; a company in China may gain an advantage over competitors across the strait by knowing their ‘next’ operational moves. Since Antlion is a nation-state APT, they may send some of this information to state-controlled corporations.
However, this also provides valuable intelligence for waging related phishing campaigns. Antlion can create phishing campaigns based on these contacts in attempts to gain access via business-email compromise. The intelligence provided in business contacts will give Antlion an edge into crafting more realistic social-engineering attempts. Investments are a very technical form of intelligence which may provide strong suggestions for future targets. Investments also show the shape of Taiwan’s economy by intruding upon key Taiwanese firms. Understanding how companies operate, and more particularly their interests, are valuable intelligence for institutions.
The smart card readers, however, is one of the more interesting intelligence targets, specifically as this is a signal there may be preparation for a physical social-engineering attack. While that conclusion is speculative, Taiwan utilises smart card readers for several functions, primarily entering controlled access points and online banking. In Taiwan, the most commonly used bank, Chung Hwa Post Office (中華郵局), requires a Smart Card Reader for online banking and money transfers.
While the feature may feel a touch archaic, and has a few security loopholes, the features required for sign-on require extensive entering of codes using an onscreen click pad (not keyboard) and removing and re-entering the card to complete any transaction. Although an archaic system, it by default fulfils two of the security principles: something you have (the card) and something you know (the bank passcode). Brute forcing Chung Hwa Post Office would be difficult, and might explain why equally archaic phone-call scams are outrageously common in Taiwan.
Exfiltrating data on smart card readers would be vital if Antlion, or any other Chinese APT, is preparing an advanced attack on financial institutions which may leverage smart card technology and security. Moreover, there could be obvious preparation for physical espionage. Confirming either way would be difficult, considering there is no way to know the smart card reader dataset which Antlion stole(3).
In summary, there are three key takeaways from today’s blog. First, Antlion maintained persistence within Taiwanese financial and manufacturing institutions for an abnormal length of time while utilising a new tool, xPack. Second, xPack utilised several vulnerabilities for which patches exist, signifying the institutions compromised had one or more unpatched machine. This may highlight a weakness in Taiwan’s overall cyber defence, and should require a nationwide campaign to address. Third, the exfiltrated data is indicative of intelligence Antlion may use to engineer further cyber- or physical-space attacks.
Following up on Antlion, or how Chinese APTs utilise xPack in the future may take some time and development; it is, however, one APT worth monitoring.
I hope today’s post introduced something new to this tangential blog while also introducing some of the unique and less addressed challenges Taiwan faces. If you enjoyed this post, it originally appeared on my Substack, The Newspaper is Dead, Long Live the Newspaper. You can subscribe for a grab bag of things I find interesting; from politics, to Taiwanese politics and life in Taiwan, and the occasional post on literature. Your feedback is valuable and I hope you enjoyed reading this!
(1) Symantec has methods of confirming the nation-state in which an APT operates that they do not publicly disclose. Antlion, however, utilises Simplified Chinese characters within the compromised networks. Simplified Chinese is used in the People’s Republic of China, whereas Taiwan utilises Traditional Chinese characters.
(2) If you are unfamiliar with EternalBlue, listen to Episode 53 from the podcast DarkNet Diaries. This episode provides an insightful and entertaining look into a dangerous vulnerability. EternalBlue affects all Windows machines since Windows 2000 until a 2017 Microsoft patch.
(3) There are sometimes ways to monitor for stolen data on the Darkweb. Several cyber defence companies even serve specifically in this service. However, while it would be of interest if Taiwanese smart cart reader data — or any data from this breach — appeared on the Dark Web, I highly doubt Antlion was after profit.