In 2024, an unknown cyber group with potential ties to Chinese-speaking hacker associations has launched a series of active attacks on Taiwanese drone manufacturers. Trend Micro, a cybersecurity company, has identified this threat as Tidrone, with the primary objective being industrial espionage targeting the supply chains of military equipment. The exact method of accessing company systems is still unknown, but researchers have identified the use of malicious programs such as CXCLNT and CLNTEND, which spread through remote desktop management tools like Ultravnc.
All victims of these attacks shared the same enterprise resource planning (ERP) software, indicating a potential attack on the supply chain. The Tidrone operation typically unfolds in three stages: privilege escalation through bypassing User Account Control (UAC), obtaining accounts, and disabling antivirus programs on infected devices. Malware is deployed by loading a malicious DLL library using Microsoft Word, granting attackers access to sensitive information.
CXCLNT has the ability to download and upload files, erase activity traces, gather system information, and initiate further attack stages. CLNTEND, uncovered in April 2024, boasts broader capabilities and supports multiple network protocols like TCP, HTTP, HTTPS, and SMB.
Trend Micro researchers Pierre and Vicki Su suggest that the timing of file compilations and cyber group activity aligns with previous Chinese hacker group espionage cases, indicating a potential connection. This episode underscores the susceptibility of supply chains, particularly within military equipment-related sectors.