
Cisco Talos researchers have uncovered a sweeping cyber-espionage campaign targeting strategically vital sectors in Taiwan. The attacks, which began no later than 2023 and continue to this day, aim to establish long-term, clandestine access to systems and exfiltrate sensitive data. The group behind the operation has been designated UAT-5918.
According to the report, UAT-5918 primarily targets telecommunications, healthcare, and IT enterprises, along with other critical infrastructure across Taiwan. The group’s tactics, tooling, and objectives closely mirror those employed by known cyber-espionage collectives—Volt Typhoon, Flax Typhoon, Famous Sparrow, and Earth Estries—all of which have ties to the Chinese government. These parallels suggest a coordinated effort and possible centralized command structure.
To gain entry, the attackers exploit publicly known vulnerabilities in internet-facing servers. Upon breaching a system, they manually conduct reconnaissance, employing the cmdkey utility to enumerate users and domains, extract system information, disable security defenses, and deploy post-exploitation tools to facilitate lateral movement. Among the arsenal used are Mimikatz, Impacket, Earthworm, Neo-reGeorg, LaZagne, and others. The threat actors seek to establish multiple footholds—ranging from web shells to newly created administrator accounts.
A distinctive hallmark of UAT-5918 is its use of open-source and poorly obfuscated tools, allowing it to blend seamlessly into background system noise. Techniques include reverse proxy tunneling via FRP and Neo-reGeorg, port scanning using FScan and In-Swor, password extraction from registries and browsers, domain user creation, and the deployment of Meterpreter shells to maintain persistent access.
The creation of covert administrator accounts has been observed in nearly every documented incident. This strategy enables adversaries to entrench themselves within the target infrastructure and circumvent additional layers of defense, including multi-factor authentication and network access policies.
It is worth recalling that China recently exposed a group of “Taiwanese independence” hackers allegedly responsible for orchestrating cyberattacks against mainland systems.
Volt Typhoon has operated over the past five years, infiltrating critical U.S. infrastructure—from ports to energy grids. The group has implanted dormant malware capable of future activation, potentially to sow societal disruption in the event of escalating tensions around Taiwan. Salt Typhoon, identified in the summer of 2024, has over the course of two years targeted nine American telecommunications firms and dozens of similar organizations worldwide.
In response, the U.S. Federal Communications Commission (FCC) has resolved to strengthen national cyber defenses and establish a dedicated National Security Council. This new body will confront threats emanating from China and bolster the United States’ strategic advantage in artificial intelligence and 5G technologies.
Additionally, a coalition of Republican senators has urged the Trump administration to launch offensive cyber operations against China. The call to action follows recent cyberattacks linked to Chinese intelligence services, which have compromised critical American networks.