Recent analysis by Recorded Future’s Insikt Group reveals that unidentified threat actors have been utilizing open-source tools as part of a suspected cyber espionage campaign, which has affected numerous global government and private sector organizations. The activity, marked under the code name TAG-100, indicates that these adversaries have compromised entities in over ten countries across continents including Africa, Asia, North America, South America, and Oceania, notably affecting two unnamed intergovernmental organizations in the Asia-Pacific region.
Since February 2024, the campaign has specifically targeted a diverse range of sectors, such as diplomatic, government, semiconductor supply chain, non-profit, and religious organizations in countries like Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, the Netherlands, Taiwan, the United Kingdom, the United States, and Vietnam. This illustrates the broad international scope of the cyber threat.
According to the cybersecurity firm, TAG-100 employs open-source remote access capabilities, effectively exploiting internet-facing devices to gain initial access. The group’s tactics include the use of open-source backdoors like Pantegana and Spark RAT, particularly following successful intrusions. The attack techniques observed suggest possible alignment with the MITRE ATT&CK framework, particularly in phases such as initial access, exploitation of public-facing applications, and post-exploitation persistence.
The attack methodologies seen within this operation involve exploiting known vulnerabilities in widely used internet-facing products. These include technologies such as Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco Adaptive Security Appliances, Palo Alto Networks GlobalProtect, and Fortinet FortiGate. The breadth of targets further complicates potential attribution efforts and highlights how such security flaws can facilitate unauthorized access.
Specifically, beginning on April 16, 2024, TAG-100 conducted extensive reconnaissance aimed at Palo Alto Networks GlobalProtect devices, predominantly focusing on organizations in the United States, spanning sectors from education to government and finance. This activity coincided with the public disclosure of a critical vulnerability (CVE-2024-3400) that affects Palo Alto GlobalProtect firewalls, earning a CVSS score of 10.0 for its potential impact.
The successful intrusions have led to the deployment of advanced tools in compromised environments, including Pantegana and Cobalt Strike Beacon. The findings reveal that threat actors are effectively leveraging proof-of-concept exploits combined with open-source tools to launch coordinated attacks. This strategy lowers the entry barriers for less sophisticated actors, complicating detection protocols and ultimately making it challenging for organizations to thwart such attacks.
Recorded Future highlights that the prevalent targeting of internet-connected devices is particularly advantageous to adversaries, as these products often possess limited logging and visibility. This characteristic ultimately reduces the risk of detection following exploitation. As such, organizations must remain vigilant, ensuring they adopt robust cybersecurity practices to defend against emerging threats in an increasingly interconnected world.
