T(AI)WANted: How the global surge in AI likely caused an increase in Taiwan-targeted cybercrime 

Introduction 

Initial access brokers (IABs) facilitate access for ransomware groups, data brokers, and advanced persistent threat groups (APTs) into corporate networks. They operate in an established, lucrative market, often on cybercriminal forums which are characterised by rigid rules and conventions. Our report explaining the illicit activities of IABs can be viewed here.  

As target acquisition by ransomware groups, data brokers, and APTs is significantly affected by the geopolitical landscape, so are the IABs which supply them with initial access to the organisations they wish to attack. This trend was noted in calendar Q3 2024, when Cyjax observed increases in both the raw number and proportional market share of listings for access to Taiwan-based organisations. This blog will explore how and potentially why IABs have been increasingly going after this country in the South China Sea. 

The observed change 

From Q2 to Q3 2024, Cyjax saw 2.7 times more IAB listings for Taiwan-based organisations. This denotes it as the highest quarter so far in 2024 for Taiwan-based access listings as market share (%) of the overall IAB ecosystem.  

Figure 1 shows the top 10 percentage changes in IAB listings per country between Q2 and Q3 2024, highlighting Taiwan as having the largest percentage increase in listings in the quarter. 

Q3 2024 saw advertisements to Taiwanese organisations account for 1.9% of all listings, making it the thirteenth most targeted country out of the 60 which were targeted. When discounting listings for US-based organisations, which correspond to approximately one third of all listings, Taiwan accounted for 2.7% of those remaining, up from 0.71% in Q2.  

Why Taiwan may have been targeted 

Taiwan has an extremely significant and prominent semiconductor industry, with the Taiwan Semiconductor Manufacturing company (TSMC) being the largest chip production organisation in the world. This also makes the company of significance to the country itself, creating a valuable target for state-sponsored threat groups with aims and interests in Taiwan. 

These organisations typically have high revenues. This tracks with what Cyjax has observed in the IAB market. Threat actors have typically targeted such large revenue organisations in Taiwan, with a mean average targeted revenue of $3.28 billion. This is almost three times the average targeted revenue for all countries in Q3 2024. Additionally, it was also the second highest average targeted revenue per country. 

An example of a high revenue IAB listing can be seen in Figure 4. On 8 August 2024, a cybercriminal forum user advertised VPN access to an unnamed Taiwan-based electronics organisation with a revenue of $20 billion. The broker likely gained credential access to a dana-na panel but was unable to bypass the 2FA mechanism on it.  A price was not added to the listing, and the IAB stated that prospective buyers must directly contact them to facilitate sale negotiation. Larger revenue companies can be subject to unlisted prices, such as in Figure 4, for which no price was listed with negotiation-based sale. Prices that are likely higher, are less likely to be publicly listed. 

 

TSMC is a vital part of the supply chains for large organisations such as Apple and Nvidia. It is also highly likely that it is in the supply chains of many other businesses. As a result, companies of a similar nature, such as those in the manufacturing and electrical industries, are likely and valuable targets in general. 

However, Taiwan saw a significant increase in semiconductor and advanced silicon production to meet growing demands from the global surge in artificial intelligence (AI). This surge likely increased the potential value of access to such organisations in the country, leading to the observed growth in Taiwan-based listings. Threat actors operating towards the interest of other countries in the South China Sea, particularly China, would likely be interested in these accesses due to the general negative geopolitical sentiment between the countries.  

Similarly, threat actors would likely see high value in intellectual property (IP) regarding the manufacturing of semiconductors, creating a large demand for these organisations. This hypothesis is supported by the targeted sectors shown in Taiwan-based listings. Throughout 2024, IAB listings for Taiwan-based organisations have included those described as in the software, manufacturing, electronics, industrial machinery and equipment, electronic devices manufacturing, as well as the computer equipment and peripherals industries. 

General implications 

It is well established that ransomware groups and APTs which buy accesses to corporate networks from IABs conduct extortion and cyberespionage campaigns. For example, the official representative of the Medusa ransomware group posted in several cybercriminal forums requesting network accesses to organisations. The group, which was first observed in June 2021, remains active on the forums as of November 2024. Medusa has been observed requesting IABs to privately message the account with tails regarding potential access sales for organisations with revenues over $30 million, offering prices between $100 and $1 million. The group has also been observed offering to provide a percentage of the ransom profit as payment for the access, rather than a flat fee. 

Similarly, a self-proclaimed APT, which is called ’APT’, posted on a Russian-language cybercriminal forum advertising services of cooperation or “pentesting”, a colloquial term for ransomware operation. The user stated that they can conduct a “full work cycle” for IABs, using their own techniques, as well as the broker’s access. The user offered to purchase accesses, as well as working for a percentage of the profit, or a combination of both. APT also advertised services for “pentesters”, to provide a “technical solution for your needs” and offered a private loader file encryption binary to “traffickers/spammers”. Whilst the possibility remains that the user is not an APT, they were recommended by ’bratva’, a moderator on the forum, and appears to exhibit high technical capabilities from their advertised services. 

Related insights  

Cyjax has observed a spike in Taiwan-targeted general cybercrime during the quarter, particularly in September 2024. This further supports the relation between geopolitics and cybercrime. Figure 8 shows an approximate 92% increase in Taiwan-targeted cybercrime in Q3 compared to Q2 of 2024.  

Therefore, whether through IAB supply or threat actor demand influencing the change, there appears to be a definitive link between geopolitical developments and an increase in both IAB listings and general cybercrime, from ransomware and APTs. Cyjax assesses that either the changes in the IAB market will likely increase Taiwan targeting by these threat actors, or that the IAB market has been influenced by the increase in Taiwan targeting, leading to an increase in listings targeting the country. 

Interestingly, while TSMC itself has not been named as a targeted organisation in analysis of APT groups campaigns, a China-nexus state-sponsored threat group has previously used TSMC-themed lures in a cyberespionage campaign likely targeting the semiconductor industry in East Asian regions such as Taiwan, Hong Kong, and Singapore. The campaign, analysed in early October 2023, shared similarities in tactics, techniques, and procedures with RedHotel, a suspected state-sponsored Chinese APT which has been operating since 2019. 

This threat actor mainly targets R&D institutes, including many Asia-based organisations. Targeted sectors include academia, aerospace, government, media, research, and telecommunications. Researchers believe the group is motivated by intelligence gathering and economic espionage. 

As mentioned above, it is likely that ransomware groups often use IABs to buy access to organisations. For example, as seen in Figure 9, the Ransomware-as-a-Service (RaaS) operation Akira has stated in ransomware negotiation chats that initial access to networks were purchased on “the dark web”, likely meaning from IABs. 

On 3 July 2023, prolific ransomware group LockBit listed TSMC on its data-leak site (DLS), with an affiliate “Bassterlord” sharing screenshots indicating they had significant access to the organisation. The company was listed with a $70 million ransom, though TSMC later confirmed that they were not breached. Instead, one of its hardware suppliers, Kinmax Technology, had been breached. This confirms the potential value of actual compromise of such companies, both in Taiwan and the manufacturing sector. 

Another trend in the IAB market that is likely largely influenced by geopolitics is the comparatively high listing prices for Israel-based organisations. As analysed in the IAB market summaries for Q1 and Q3 2024, Israel-based listings have consistently had high average prices throughout the year when compared to other countries. The only exception here is Q2 of 2024, where the most prominent listings did not include access listings for organisations based in the country. The high listing price is likely due to the ongoing Israel-Palestine conflict affecting the value of accesses in the country, further indicating a link between the IAB market and geopolitics. 

Conclusion 

From analysis of the IAB market, the brokers, which form a key part of the cybercriminal ecosystem, appear to be influenced by geopolitical developments.  

Overall, these trends highlight why such geopolitical developments are significant to the threat landscape. Organisations like TSMC are highly likely to be in many companies’ supply chains, particularly large organisations such as Apple and Nvidia. This creates extremely valuable targets for ransomware groups and data brokers. Additionally, organisations with large influences on a country, such as TSMC on Taiwan, are likely of interest to APT groups.