‘Vendetta’ hackers are posing as Taiwan’s CDC in data-theft campaign

The hackers are part of a group known as Vendetta that has only surfaced in the last two months.

A mysterious hacking group has been posing as Taiwan’s top infection-disease official in an attempt to steal sensitive data from Taiwanese users, researchers said Monday.

The hackers sent meticulously written spearphishing emails to a select group of targets, which may have included Taiwan’s Centers for Disease Control employees, according to ElevenPaths, the cybersecurity unit of Spanish telecommunications firm Telefónica Group, which uncovered the activity.

It’s a reminder of the lengths to which hacking groups have gone to impersonate public health authorities and break into computer networks during the COVID-19 pandemic.

Over the course of a week in early May, the hackers sent emails to certain Taiwanese users urging them to get novel coronavirus tests. Attached to the email was a remote hacking tool capable of stealing login credentials and hijacking webcams.


“The type of tools and the targets selected indicate that they are looking for intelligence, mainly governmental,” Miguel Ángel de Castro Simón, threat intelligent analyst at ElevenPaths, told CyberScoop. It is unclear how successful the phishing was; de Castro Simón said he didn’t know.

The hackers are part of a group known as Vendetta that has only surfaced in the last two months. The group is adept at impersonating authorities in multiple languages. They have posed as agency officials in Australia, Austria and Romania in attempts to install remote hacking tools on victim machines, Chinese cybersecurity company Qihoo 360 said in a report in May. At least some of Vendetta’s hacking attempts have been to “steal targeted business intelligence,” according to Qihoo 360.

“This type of group does not carry out massive attacks, but [are] very selective, so the number [of victims] should not be too high,” de Castro Simón said when asked how many users in Taiwan may have been compromised.

The cyber-masquerading is a problem that health authorities around the world have had to contend with during the COVID-19 crisis. In the last three months, there have been reports of Iranian and South Korean hackers targeting the World Health Organization, Chinese spies trying to steal U.S. vaccine research and cybercriminals extorting health care companies responding to the virus.

In the U.S., the Department of Homeland Security’s cybersecurity division has allocated greater resources to protecting the U.S. Centers for Disease Control and Prevention from hacking.


The CDC is not the only health body in Taiwan that hackers have impersonated in recent weeks. Another, apparently unrelated campaign spoofed Taiwan’s Ministry of Health and Welfare in an attempt to install the LokiBot data-stealing malware on victim machines, according to a report from ISSDU, a Taiwanese cybersecurity company. It is unclear who is responsible for those attempted intrusions.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts