Taiwanese authorities have suggested that Chinese hackers were behind recent ransomware attacks targeting a number of Taiwanese energy and technology companies.
The attackers infiltrated victims’ internal networks via employees’ computers, hacked into privileged accounts and compromised the domain control server, Taiwan’s Ministry of Justice said in a statement. The agency did not reveal what ransomware strains were used in the attacks.
The Ministry of Justice also said that the hackers left a backdoor on compromised systems “to connect to the overseas relay station” and used the Cobalt Strike tool for remote access control. Data left behind in the attack, such as a configuration file and domain name, suggests the involvement of a group known as Winnti, or something “closely related” to it, the authorities said.
According to the statement, the threat actor was planning to launch another ransomware attacks against ten Taiwanese enterprises.
The Ministry of Justice did not name organizations that were targeted in the attacks, however, local media reported the statement referred to China National Petroleum Corporation (CNPC), Formosa Plastics Corporation, a Taiwanese plastics company, and other victims.