UAT-7237 USES CUSTOMIZED OPEN-SOURCE TOOLS TO COMPROMISE TAIWANESE CRITICAL INFRASTRUCTURE AND HACKERS EXPLOIT A THIRD-PARTY CRM TO EXPOSE EMPLOYEE CONTACT DETAILS

August 14-20, 2025 | Issue 31  - CICYBER

Amelia Bell, Lucy Gibson, CICYBER

Elena Alice Rossetti, Senior Editor

Hackers^[1]

Date: August 15, 2025

Location: Taiwan

Parties involved: Taiwan; Taiwanese government; Taiwanese cyber-security organizations; Taiwanese national service providers; Taiwan-based organizations; China; Chinese government; Chinese-speaking Advanced Persistent Threat (APT) group UAT-7237; Russia; IT professionals

The event: UAT-7237 used customized open-source tools to compromise Taiwanese critical infrastructure and establish persistent access to credential information.^[2]

Analysis & Implications:

• UAT-7237 will very likely continue to exploit open-source tooling to steal critical data and maintain persistent access to information sources, likely using this access to later shut down organizations’ systems or sell high-value information. Access to credentials, privilege escalation, and familiarity with the target network will very likely enable UAT-7237 to change network configuration and performance at any time, almost certainly allowing them to continue to evade detection, especially if the target hasn’t identified their presence yet. UAT-7237 will likely try to sell extracted data and get financial and operational support from governments and actors with an interest in compromising Taiwan’s services, such as China and Russia. The information extracted by the group will very likely attract the Chinese government to purchase data about Taiwanese national service providers, such as healthcare and energy suppliers, likely allowing China to gain a tactical advantage over Taiwan.

• Once UAT-7237’s motivation behind the attack is identified, the Taiwanese government will very likely urge relevant security organizations to prioritize the enhancement of their cybersecurity measures, likely performing ad hoc pentesting and red team exercises to identify vulnerabilities of their networks. These cybersecurity measures will very likely focus on UAT-7237’s common targets, such as internet-facing servers and identity management tooling, likely allowing the introduction of preventative measures. Potential targets will very likely monitor network traffic more frequently and configure specific alerting for changes to User Access Control configuration and other Indicators of Compromise (IOCs) that likely signal UAT-7237 activity. The Taiwanese government will likely offer support to organizations to improve the country’s overall cybersecurity readiness, likely encouraging information-sharing and best practices diffusion among IT professionals through the creation of dedicated conferences and online portals, and implementing stricter cybersecurity protocols nationwide, such as routine patching and pentesting.

Date: August 18, 2025

Location: Global

Parties involved: global HR organization Workday; Workday HR departments; Workday employees; Workday’s Fortune 500 clients; American life insurance company Allianz Life; unknown hackers; unknown cybersecurity attackers; affected organizations

The event: Hackers exploited a third-party Customer relationship management (CRM) linked to Workday, exposing employee contact details but leaving core customer systems untouched.^[3]

Analysis & Implications:

• The attackers will very likely evolve their tactics by using Workday’s contact information to start large-scale spear-phishing campaigns that mirror HR and finance workflows, such as payroll notifications or benefits enrollment updates.There is a roughly even chance that attackers will automate these operations using AI-driven voice cloning and email spoofing, likely to computerizevishing and phishing attempts while partially evading traditional detection systems across Workday’s Fortune 500 client networks. These adaptive scams will likely unfold in stages, first targeting lower-level employees to exploit weaker access controls or less stringent screening processes, enabling attackers to escalate privileges and maneuver through managerial approval paths, without immediately drawing heightened scrutiny. Over time, attackers will likely establish large-scale routines that map company hierarchies and exploit workflow cycles, with consequences such as prolonged credential exposure, increased business email compromise, and ongoing financial fraud attempts placing sustained operational and reputational stress on affected organizations.

• This breach will very likely expose how attackers can exploit routine trust mechanisms such as approvals and internal communications, likely compelling companies to institutionalize verification as an operational requirement and a cultural norm. Workday, alongside other large organizations such as Allianz Life, will likely enhance multi-factor authentication guidelines for their salesforce and HR representatives, likely focusing on approval chains that attackers might try to exploit. Companies will likely require employees to confirm sensitive requests only through controlled corporate systems, likely reducing the chance of believing fake calls, texts, or emails. In the long term, Workday and other HR companies will very likely embed these changes into cultural norms that prioritize verification over convenience, likely reshaping trust management across digital and human workflows.

[1] Hackers, generated by a third party database

[2] Taiwan Web Servers Breached by UAT-7237 Using Customized Open-Source Hacking Tools, The Hacker News, August 2025, https://thehackernews.com/2025/08/taiwan-web-servers-breached-by-uat-7237.html?m=1 

[3] Workday Data Breach Bears Signs of Widespread Salesforce Hack, SecurityWeek, August 2025, https://www.securityweek.com/workday-data-breach-bears-signs-of-widespread-salesforce-hack/