Operation Clairvoyance: How APT Groups Spy on the Media Industry

Cyber espionage actors have demonstrated great interest in the media industry. These actors seem to like to see Taiwan's daily activities through the "eyes" of these media companies and journalists. During Taiwan's intense 2022, we saw more and more Advanced Persistent Threat (APT) groups infiltrate Taiwan's media industry. In our observation, the media has become the first non-government target of those APT groups.This talk will focus on APT's targeted attack against media companies in Taiwan. We dubbed this series of attacks "Operation Clairvoyance." Because Taiwan has a much more intensive political situation, such as the former US House Speaker Nancy Pelosi's visit and the 2022 Local Election, we will dissect more than 20 targeted attack operations TeamT5 has tracked since 2020. Our analysis shows technical links between these targeted attacks and the infamous Chinese APT, including APT23 (aka GouShe), APT41 (aka Winnti, Amoeba), and BlackTech (aka Huapi).Our presentation will cover these attacks' Tactic Techniques and Procedures (TTPs). We have seen those APT groups adopt different TTPs aimed at media companies. Some of those backdoor abuse cloud service as their C2. More importantly, these cases gave us a peek into China's strategic move. We believe that these APT attacks are the preliminary work of the Chinese government. Our strategic intelligence indicates several possible scenarios which could lead us to consider the ultimate goal of these APT attacks. We will provide the attacking scenarios after these threat actors have infiltrated the media industry.