A worker in a high-visibility jacket and hard hat sits at a desk in front of a computer, leaning forward with their head in their hands, suggesting stress or fatigue.

Executive Summary:

In September 2024, security firm Trend Micro published a report identifying a threat group named “TIDRONE”, which had conducted a cyber espionage campaign targeting entities in Taiwan’s military and satellite industries. Initial findings from the report revealed that TIDRONE actors are actively targeting both satellite industries and drone manufacturers, suggesting a coordinated effort to infiltrate high-value targets tied to aerospace and defense. Further analysis provided by security firm Acronis, which tracked the campaign under the alias "Operation WordDrone," adds key details regarding the exploitation of Taiwanese enterprise resource planning (ERP) software, indicating the campaign may be associated with a supply chain attack.

These activities are assessed as part of a wider trend of cyber espionage aimed at stealing sensitive information within the global military technology sector, including satellite and drone technology. Notably, several elements within this campaign highlight the escalating threat environment for the space industry, particularly the surge in drone production, its considerable overlap with space technology, and the significance of Taiwan as a hub for aerospace and military production.

Attack Pattern:

TIDRONE actors utilized enterprise resource planning (ERP) and remote desktop tools to deploy sophisticated malware toolsets identified as CXCLNT and CLNTEND.

These sophisticated malware families are specifically used to exploit system vulnerabilities and steal sensitive data. The CXCLNT strain is deployed for a range of purposes, most notably the uploading and downloading of files, and the collection of victim information, such as file listings and computer names. The CLNTEND malware is a remote access tool (RAT) that was first identified in attacks conducted in April 2024, and this RAT supports a wide range of network communication protocols.

This versatility allows attackers to adapt to different environments and ensures continuous data exfiltration, even in highly secured networks. Both malware variants play a pivotal role in stealing sensitive data, including intellectual property, and enable extensive system exploitation through lateral movement across compromised networks.

The group’s attack pattern involved a technique known as DLL side-loading, in which attackers manipulate the loading of dynamic link libraries (DLL) by hijacking a program’s library calls. In this instance, TIDRONE actors exploited an outdated version of Microsoft Word to load and execute malicious files. The attackers used a modified version of a legitimate DLL to act as a loader, which ran shellcode to decrypt and execute the CXCLNT and CLNTEND payloads. Researchers noted that the loader included additional features for persistence and defense evasion. Additional reporting shows that attackers used a tool called “EDRSIlencer” to avoid endpoint detection and firewall protections.

Supply Chain Attack:

Reports suggest this campaign may have been a supply chain attack, as it involved repeated targeting of the same ERP systems and remote access tools across multiple victim environments. Specifically, the attackers leveraged Virtual Network Computing (VNC) technology, particularly UltraVNC—a program that allows remote control of servers and clients—to launch malicious executables using side-loading techniques. Additional reporting from Acronis revealed that Taiwanese ERP software Digiwin was deployed in victim environments during the Operation WordDrone campaign. Researchers indicate that this platform may have been exploited as an initial access vector, due to vulnerabilities known to exist in the software’s components.

Significance to Space:

The space industry shares critical technological parallels with other sectors targeted by TIDRONE, particularly drone manufacturing. The use of remote access tools like UltraVNC in both industries is a notable overlap. As space companies often rely on remote systems to manage satellite ground stations and sensitive communication networks, the same techniques used to exploit these tools in other industries could be leveraged against space operations.

In the context of supply chain risks, the close relationship between space and drone manufacturers, particularly in regions like Taiwan, creates additional vulnerabilities. Taiwan’s role as a U.S. ally and a leader in technological innovation makes it a focal point for espionage campaigns, and any compromise in drone manufacturing could cascade into the space industry. Given the high value of intellectual property and operational data in space systems, successful infiltration by actors like TIDRONE could lead to far-reaching consequences for national security and commercial space operations alike.

Sector Targeting:

The TIDRONE campaign’s focus on ERP and remote access technologies aligns with similar methodologies seen in attacks on the space sector. Both sectors utilize these systems to maintain operational continuity, and their exploitation could disrupt essential services or enable widespread data theft. By targeting interconnected sectors like drone and aerospace manufacturing, TIDRONE actors seek to exploit supply chain weaknesses, increasing the potential for lateral movement into critical space infrastructures. The trend toward using VNC technologies across industries underscores the need for heightened cybersecurity awareness in the space industry.