The threat actor Earth Ammit, linked to Chinese state-sponsored activities, has executed coordinated multi-wave cyber campaigns targeting drone supply chains primarily in Taiwan and South Korea between 2023 and 2024. These campaigns, named VENOM and TIDRONE, represent a strategic effort to disrupt and infiltrate critical supply chains associated with drone manufacturing and military industries. The VENOM campaign leveraged open-source tools to compromise software service providers, enabling broad access to downstream targets through trusted networks. In contrast, the TIDRONE campaign employed custom malware specifically designed to target military sectors, demonstrating an evolution from generic to highly tailored attack methodologies. The threat actor utilized a variety of sophisticated tactics including supply chain attacks, credential theft, and cyberespionage to gain persistent access. Notably, they deployed custom backdoors such as CXCLNT and CLNTEND and employed fiber-based evasion techniques to avoid detection. The victim profile is diverse, spanning military, satellite, heavy industry, media, technology, and healthcare sectors, indicating a wide-reaching impact on critical infrastructure and strategic industries. The campaigns also incorporated multiple MITRE ATT&CK techniques such as T1583 (Acquire Infrastructure), T1003 (Credential Dumping), T1543 (Create or Modify System Process), T1190 (Exploit Public-Facing Application), and T1078 (Valid Accounts), among others, highlighting a comprehensive and multi-faceted approach to compromise and persistence. The progression from broad, low-cost tools to customized malware underscores the threat actor’s adaptability and focus on high-value targets within sensitive sectors.

For European organizations, especially those involved in drone manufacturing, aerospace, defense, and critical infrastructure sectors, this threat poses significant risks. Although the campaigns have been observed primarily in Taiwan and South Korea, the tactics and malware used could be adapted or redirected towards European supply chains due to the globalized nature of technology and defense industries. Compromise of supply chain vendors or software service providers in Europe could lead to downstream infiltration of military and critical infrastructure networks, resulting in espionage, intellectual property theft, operational disruption, and potential sabotage. The use of custom backdoors and advanced evasion techniques increases the difficulty of detection and remediation, potentially allowing prolonged unauthorized access. Additionally, the targeting of healthcare and media sectors suggests a broader impact on societal functions and information integrity. The disruption of drone supply chains could impair European defense capabilities and technological competitiveness, while espionage could undermine national security and economic interests.

European organizations should implement a multi-layered defense strategy tailored to supply chain security and advanced persistent threats. Specific recommendations include: 1) Conduct rigorous security assessments and continuous monitoring of all third-party vendors and software providers, focusing on those involved in drone, aerospace, and defense supply chains. 2) Employ advanced threat hunting techniques to detect custom backdoors like CXCLNT and CLNTEND, including behavioral analytics and network traffic analysis for fiber-based evasion indicators. 3) Enforce strict credential hygiene policies, including multi-factor authentication (MFA) and regular credential audits, to mitigate credential theft risks. 4) Implement application allowlisting and robust patch management to reduce the attack surface, especially for public-facing applications vulnerable to exploitation (T1190). 5) Utilize endpoint detection and response (EDR) solutions capable of identifying process creation anomalies (T1543), code injection (T1055), and lateral movement techniques (T1021). 6) Establish incident response plans specifically addressing supply chain compromise scenarios, including rapid isolation and forensic analysis capabilities. 7) Foster information sharing with national cybersecurity agencies and industry groups to stay informed on evolving tactics and indicators of compromise related to Earth Ammit activities.