Trend Micro has uncovered a complex, multi-phase cyber-espionage operation attributed to the Earth Ammit threat actor, targeting critical infrastructure in Taiwan and South Korea from 2023 to 2024. The campaigns utilize open-source tools, custom malware, and supply chain attacks to gain long-term access to high-value networks.
Affected: critical infrastructure, military, satellite, drone supply chains, software companies, healthcare entities, industrial vendors
Affected: critical infrastructure, military, satellite, drone supply chains, software companies, healthcare entities, industrial vendors
Keypoints
- The Earth Ammit threat actor launched dual campaigns, VENOM and TIDRONE, focusing on espionage and supply chain attacks in Taiwan and South Korea.
- VENOM primarily targeted upstream service providers using web shells and open-source tools to maintain persistence and evade detection.
- TIDRONE involved deploying custom malware such as CXCLNT and CLNTEND for advanced surveillance and data theft within military and satellite networks.
- The campaigns shared infrastructure and victims, indicating coordination and a strategic focus on the drone ecosystem.
- The attackers employed sophisticated stealth techniques, including memory-resident backdoors and fiber-based evasion methods introduced after BlackHat presentations.
- MITIGATIONS include monitoring supply chain security, detecting open-source tool signatures, and implementing advanced intrusion detection measures for high-value networks.