A sophisticated cyber threat actor known as Earth Ammit has intensified its operations, launching coordinated multi-wave attacks aimed at the drone supply chains within Taiwan’s military and satellite industries. Security researchers have linked this group to Chinese-speaking Advanced Persistent Threat (APT) entities, noting a significant evolution in their tactics and toolsets between 2023 and 2024.
Overview of Earth Ammit’s Campaigns
Earth Ammit’s operations have unfolded in two distinct phases:
1. VENOM Campaign (2023): This initial phase targeted software service providers and technology companies. The attackers exploited vulnerabilities in web servers to deploy web shells, facilitating unauthorized access. To maintain persistence and evade attribution, they utilized open-source tools extensively.
2. TIDRONE Campaign (2024): Building upon their initial successes, Earth Ammit shifted focus to military industry entities through upstream supply chain attacks. By compromising suppliers, they aimed to infiltrate downstream customers, thereby extending their reach to high-value military assets, particularly drone systems.
These campaigns have predominantly affected organizations in Taiwan and South Korea, spanning sectors such as military, satellite, heavy industry, media, technology, software services, and healthcare.
Supply Chain Attack Strategies
Earth Ammit’s approach underscores a deep understanding of supply chain vulnerabilities, employing two primary attack vectors:
– Classic Supply Chain Attacks: In this method, the attackers inject malicious code into legitimate software products during the development or update processes. This tactic ensures that end-users unwittingly install compromised software, granting attackers access to sensitive systems.
– General Supply Chain Attacks: Here, Earth Ammit leverages trusted communication channels to distribute malware without altering the software itself. By exploiting the trust between suppliers and customers, they can disseminate malicious payloads effectively.
The overarching objective appears to be the infiltration of trusted networks to gain access to sensitive military technologies, with a particular emphasis on drone systems utilized in defense applications.
Advancements in Malware Capabilities
A notable aspect of Earth Ammit’s operations is the rapid evolution of their malware arsenal:
– CLNTEND Backdoor (2024): This advanced malware represents a significant upgrade from its predecessor, CXCLNT. While both execute entirely in memory to evade detection, CLNTEND operates as a Dynamic Link Library (DLL) rather than an executable file and supports seven communication protocols, compared to CXCLNT’s two.
– Evasion Techniques: CLNTEND employs fiber-based evasion strategies, utilizing Windows fiber API functions to conceal malicious activities from security solutions. By converting threads to fibers and creating new fibers for code execution, the malware effectively hides its operations, complicating detection efforts.
Implications and Recommendations
The activities of Earth Ammit highlight the escalating sophistication of cyber threats targeting military and aerospace sectors. Organizations within these industries must adopt comprehensive cybersecurity measures to mitigate such risks:
– Enhanced Monitoring: Implement continuous monitoring of network traffic and system activities to detect anomalies indicative of unauthorized access or malware deployment.
– Supply Chain Security: Conduct thorough security assessments of all suppliers and partners to ensure they adhere to stringent cybersecurity standards, thereby reducing the risk of supply chain compromises.
– Advanced Threat Detection: Deploy advanced threat detection systems capable of identifying and responding to sophisticated malware and evasion techniques employed by groups like Earth Ammit.
– Incident Response Planning: Develop and regularly update incident response plans to ensure swift and effective action in the event of a cyberattack, minimizing potential damage.
By proactively addressing these areas, organizations can bolster their defenses against the evolving tactics of threat actors targeting critical military technologies.
