CDOTrends

Hacking 7-11 in Taiwan

By Stefan Hammond on August 08, 2022
Image credit: iStockphoto/WhataWin

It's clear that 2022 leads the race for Most Digital Skullduggery in a Calendar Year. Ever-sophisticated online scams send out subtle feelers for phishing schemes, bogus credentials, and everything in-between.

Blame it on WFH mandates or a lack of revenue from traditional skim channels, but the criminals are working overtime. CSOs and above need to be more aware than ever of dangers swept into the workplace by typical Internet activity.

An intriguing example spiked up last week, amidst political posturing, and at — of all places — 7-11.

Related

24-hour pork buns

Convenience store chain 7-11 began in the U.S. in 1927. The Stateside image of the chain is one of plastic-wrapped dried meat snacks and sugary shaved-ice beverages. It's open, but it's not gourmet.

7-11 in Japan is a different beast. Fresh food is delivered thrice daily, for starters. The entire operation relies on intricate networks of supply chains and on-point logistics, and it works.

APTs are potentially more dangerous to cybersecurity than rogue actors

Elsewhere in Asia, 7-11 is somewhere in the middle. The Japanese paradigm seems to have taken root in Taiwan, where fourteen stores first opened in 1979. “The unique convenience store culture formed by President Chain Store (7-Eleven in Taiwan) has become a part of Taiwanese culture,” says Wikipedia.

“Take your pick from a mind-blowing range of Taiwan specialties, like baozi, sushi hand-rolls and sandwiches to baked potatoes, tea-eggs, hotdogs and pork buns,” says a blog-post from a Taipei language school.

Regrettably, a recent visit to the island by a U.S. politician sparked a cyberintrusion that tarnished the allure of 7-11 pork buns.

Multi-pronged cyberattack

“On Wednesday, in some branches of 7-11 convenience stores in Taiwan, the television screens behind cashiers suddenly switched to display [a message directed at said politician],” said a Reuters report.

“The largest 24-hour convenience store chain on the island was the victim of what Taiwanese authorities are calling an unprecedented amount of cyber attacks on government websites belonging to the presidential office, foreign and defence ministries as well as infrastructure such as screens at railway stations,” said Reuters. “Taiwan's digital minister Audrey Tang said the volume of cyber attacks on Taiwan government units on Tuesday...surpassed 15,000 gigabits, 23 times higher than the previous daily record.”

Hacker group APT 27 claimed responsibility, and “also claimed it had shut down 60,000 internet-connected devices in Taiwan,” according to Reuters.

Advanced persistent threats

Wikipedia: “An advanced persistent threat (APT) is a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.”

2022 leads the race for Most Digital Skullduggery in a Calendar Year

“APT27 is a Chinese hacking group active for the last ten years or so,” says Richard Stagg, director and managing consultant, Handshake Networking. “They claim to be independent vigilantes, but nobody believes this; it is perfectly clear that they are state-sponsored. They have access to resources and information that would not be available to independent professionals.” Stagg adds that “APT28 are their Russian equivalents.”

“Germany's domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV), said APT 27 had used a malware variant to target commercial companies,” said a Deutsche Welle report. “The BfV said the attackers had been exploiting vulnerabilities in commonly used software since March 2021 as a gateway for the attacks.”

Such groups by default operate in the shadow realm and gleaning actionable information on them is like the Schrödinger's cat's version of Whack-A-Mole. Taking control of a few screens at 7-11 is one thing, but as Stagg says: “Seems like this was a bit more than a few 7-11s. Mostly DDoS, some other defacements...the whole thing smells of a cyber-warning-shot.”

Cyberwarfare preview

This is typical of cyberintrusions of whatever stripe: a demonstration of capabilities and a promise that it's just a taste, with the real strike in the pipeline. Stagg: “This is a nice preview of what full-on cyber warfare will look like.”

“Sure, there will be effective attacks against government, military, utilities, infrastructure, etc.,” says the Handshake Networking director. “But there will also be plenty of propaganda, fearmongering and inconvenience targeting citizens via the private sector.”

It makes sense. A typical Netizen might not much care if a government website operates less efficiently due to a DDoS attack, but if she steps into her local 7-11 and the in-store displays have clearly been compromised, the message just might resonate.

Why 7-11? Because it's a part of Taiwanese culture? Actually, there's another precedent.

Culture clash

In December 2021, “the Beijing municipal government issued a warning to the [Japanese-owned operator of 7-Eleven convenience stores in Beijing] and imposed a fine of 150,000 yuan (USD23,500), according to a credit information site affiliated with the Chinese government,” said an article on Nikkei Asia. “The stores in the capital are run by a local unit of Seven-Eleven Japan, a subsidiary of Japanese retail giant Seven & i Holdings.”

7-11 isn't the only Japanese convenience store doing business on the mainland — FamilyMart had “over 2,967 stores” by December 2020, while Lawson has “more than 4,700 — both greater than 7-11's September 2021 total of 2,582 stores. But the latter was “fined for describing Taiwan as an independent country and other naming conventions on its company website.”

Key takeaway

Taiwan is critical to global semiconductor supply, and a lengthy 2020 report by Wired Magazine's Andy Greenberg describes Operation Skeleton Key which “compromised at least seven Taiwanese chip firms over the past two years.” While many tech executives aren't concerned about tea-eggs, potential speed-bumps in semiconductor supply chains may cause brows to furrow.

"'This is a way to cripple a part of Taiwan's economy, to hurt their long-term viability,' says [Chad Duffy of Taiwanese cybersecurity firm CyCraft]. If you look at the scope of this attack, pretty much the entire industry, up and down the supply chain, it seems like it's about trying to shift the power relationship there. If all the intellectual property is in China's hands, they have a lot more power'.”

As ever in gauging cybersecurity risks, an accurate glimpse of the bad actors is gauzy at best. But as APTs are potentially more dangerous to cybersecurity than rogue actors, they may represent the most potent threat.

Stefan Hammond is a contributing editor to CDOTrends. Best practices, the IoT, payment gateways, robotics and the ongoing battle against cyberpirates pique his interest. You can reach him at [email protected].

Image credit: iStockphoto/WhataWin

Related Articles

Related Whitepapers

2017 - 2021 © CDOTrends