A cyber espionage group with suspected ties to Chinese-speaking state-sponsored hackers has attacked software service providers and military companies in Taiwan and South Korea. According to a new report, these attacks were part of several supply chain operations.
The group, known as Earth Ammit, carried out two major attack campaigns between 2023 and 2024. Their targets included a wide range of industries such as military, satellites, heavy industry, media, technology, software services, and healthcare.
Cybersecurity firm Trend Micro analyzed the attacks. Researchers said Earth Ammit aimed to compromise trusted networks through supply chain attacks. This method would allow the hackers to reach high-value targets and expand their influence.
Victims of these attacks faced serious risks. Hackers could steal sensitive data, including user credentials and even screenshots from infected systems.
In the first wave of attacks, called Venom, Earth Ammit focused on trusted vendors to reach their customers. Their main goal was to infiltrate the drone supply chain. The hackers used open-source tools for this stage. Researchers believe they chose these tools because they are cheap, easy to access, and help hide their activity.
The second campaign, named Tidrone, targeted Taiwan’s satellite and military industries. In this phase, the attackers used custom-made backdoors for spying. Some of the tools they used were called CXCLNT and CLNTEND.
Trend Micro linked both campaigns to the same group. They found evidence such as shared command-and-control infrastructure and repeated targeting of the same victims. This shows the group has a strong and ongoing interest in certain high-value targets.
Experts also noted that Earth Ammit’s tactics and targets are similar to another suspected Chinese state-sponsored group known as Dalbit. However, it is still unclear if the two groups are officially connected.
In a related development, cybersecurity company EclecticIQ reported that several China-linked hacker groups recently exploited a serious flaw in SAP NetWeaver. This attack targeted critical infrastructure networks.
Victims included natural gas distribution systems, water and waste management utilities in the UK, medical device factories, oil and gas companies in the U.S., and government ministries in Saudi Arabia responsible for investment and financial oversight.
Researchers said these hackers are focusing on widely used platforms like SAP NetWeaver. Such systems are deeply embedded in business operations and often contain unpatched vulnerabilities, making them ideal targets for attackers.
