The Drone Supply Chain’s Grand Siege: From Initial Breaches to Long-Term Espionage

The Drone Supply Chain’s Grand Siege: From Initial Breaches to Long-Term Espionage

MediaVideo
Yanac

The Drone Supply Chain’s Grand Siege: From Initial Breaches to Long-Term Espionage on High-Value Targets

In mid-2024, we disclosed a cyber campaign named TIDRONE, attributed to an unidentified threat actor likely linked to Chinese-speaking groups. This campaign revealed a strong focus on the military industry, specifically targeting drone manufacturers in Taiwan.

Further investigation led to the identification of a related campaign, VENOM, attributed to the cyberespionage group Earth Ammit, which targets military-related industries in Eastern Asia. Since 2022, the VENOM campaign demonstrated Earth Ammit’s supply-chain attack strategy, focusing initially on service providers as an entry point to their ultimate targets. This campaign prefers applying shared tools, making attribution difficult, and emphasizing credential theft, particularly from Active Directory (AD), as a precursor to further supply-chain attacks.

Earth Ammit employed distinct TTPs and toolsets based on the stage of their target. For initial breaches involving service providers, the group used a broad range of shared tools to minimize the risk of attribution. These tools facilitated lateral movement and credential harvesting, primarily aimed at compromising the service provider’s infrastructure as a stepping stone to reach more valuable targets. In contrast, Earth Ammit adopted more sophisticated and tailored approaches when accessing their true targets. This phase involved the deployment of customized malware, including advanced RATs like CXCLNT and CLNTEND, which were analyzed before. The group shifted its focus to long-term espionage tactics, ensuring persistence and deep infiltration into critical systems. This variation in toolsets and TTPs demonstrated Earth Ammit’s strategic adaptability, with simpler methods for penetrating supply-chain networks and more complex, targeted tools reserved for high-value military targets to maximize intelligence gathering and maintain prolonged access.

This presentation offers an in-depth analysis of the TIDRONE and VENOM campaigns, revealing Earth Ammit’s evolving arsenal and multi-stage intrusion strategies. It also emphasizes the link between VENOM and Dalbit, highlighted by their shared TTPs, common target profiles, and repeated use of similar tools.

By:
Pierre Lee | Senior Threat Researcher, TrendMicro
Vickie Su | Senior Threat Researcher, TrendMicro
Philip Chen | Threat Researcher, TrendMicro

Full Abstract and Presentation Materials:
https://www.blackhat.com/asia-25/briefings/schedule/#the-drone-supply-chains-grand-siege-from-initial-breaches-to-long-term-espionage-on-high-value-targets-44145Black HatRead More