Tropic Trooper attacks Taiwan government

The new attacks were delivered as spear phishing mails with a decoy Microsoft Excel spreadsheet.

By Adrian M. Reodique
Dec. 6, 2016

Palo Alto Networks Unit 42 researchers have uncovered an attempted attack on the Secretary General of Taiwan's Government, Executive Yuan.

The security firm associated the attack with the espionage threat actor group Tropic Trooper, an ongoing cybercrime campaign active since 2011. It is known for heavily targeting government and organisation in the Asia Pacific region, and military agencies in the Philippines.

Palo Alto Networks said the new attacks were delivered as spear phishing mails with a decoy Microsoft Excel spreadsheet. The attached document exploits a Microsoft Office vulnerability tagged CVE-2012-0158.

The e-mail was sent to the Executive Yuan and was spoofed to make it look like it was sent from a staff member of the Democratic Progressive Party.

Executive Yuan is composed of several individual boards which are formed to enforce different executing functions of the governments. The Executive Yuan Council evaluates statutory and budgetary bills and bills concerning martial law, amnesty, declaration of war, conclusion of peace and treaties, and other important affairs.

Palo Alto Networks said the mail was disguised as a spreadsheet that documents the activities of protestors and/or progressive reform attempts in progress across Taiwan. The company said the tone of the spreadsheets suggests that it was compiled by progressive supporters.

However, Vicky Ray, Senior Threat Intelligence Analyst at Palo Alto Networks, told MIS Asia that they were unable to confirm if the victim fell for the attack, and thus cannot comment on what could or may have been gained by the attacker.

"As we were able to tie the attacks to the espionage threat actor group 'Tropic Trooper', we can presume that the objective was to spy and conduct espionage activities," he added.

Meanwhile, the researchers were able to confirm that the attacks have used both Yahoyah malware, and Poison Ivy Remote Access Trojan (RAT), which allows hackers to bypass normal security mechanisms and secretly control a programme or network through infected computers.