Look up: The new frontier of cyberthreats is in the sky

In November 2024, a series of unidentified drones appeared over New Jersey. This wasn’t the stuff of UFO enthusiasts or conspiracy theorists. The drones were real, and reported by citizens, law enforcement officers and members of the U.S. military.

Within a few weeks, sightings spread into New England, New York and Pennsylvania. Drones started to appear in restricted military airspace. The military said it wasn’t operating the drones but that they didn’t pose a threat.

In late January 2025, the White House sent a similar message, noting that the New Jersey drones were “authorized to be flown by the Federal Aviation Administration (FAA) for research and various other reasons.”

Concerns over unidentified drones persist

Still, concerns over drones remain; so much so that the chief of the North American Aerospace Defense Command (NORAD) told lawmakers in February that the Pentagon needed more resources to deal with drones flying over U.S. military installations.

“The primary threat I see for them in the way they’ve been operating is detection and perhaps surveillance of sensitive capabilities on our installations,” NORAD chief Gen. Gregory Guillot said during a Senate Armed Services Committee hearing.

So, there are enough unidentified and suspicious drones that people with real power to make decisions are paying close attention to them. The issue is also global. In January, the German cabinet approved a plan to shoot down drones that flew over their military installations.

Attackers target drone manufacturers in Taiwan

There is reason to worry given the example of a story out of Taiwan. Attackers there used malware to spy on drone manufacturers’ corporate computers and likely exfiltrate data. Taiwan is home to some of the world’s most advanced drone makers, and drone production on the island has ramped up significantly since 2022.

The attackers used a dynamic-link library (DLL) sideloading technique to install a persistent backdoor with complex functionality on infected systems. They brought three files to the system: a legitimate copy of Microsoft Word 2010, a signed wwlib.dll file and a file with a random name and file extension.

The attackers used Microsoft Word to sideload the malicious wwlib DLL. The DLL acts as a loader for the actual payload, which resides inside the encrypted file with a random name.

With command and control capabilities installed as part of the breach, attackers gained access to company PCs within drone manufacturers. What’s particularly interesting is how attackers managed to enter a victim’s system: probably through enterprise resource planning (ERP) software.

The first appearance of the malicious files was inside the folder of a popular Taiwanese ERP software called Digiwin. The Acronis Threat Research Unit (TRU) found evidence of multiple components of Digiwin deployed in target environments. Digiwin, established in Taiwan but now based in mainland China, is the leader in Taiwan’s ERP market.

Attackers replaced Digiwin’s original Update.exe execution file with Winword.exe. Update.exe is part of Digiwin’s auto update workflow, but attackers caused it to launch Microsoft Word 2010 instead, which loaded a backdoor that could carry out malicious actions.

Some of Digiwin’s components contain known vulnerabilities, and it seems very likely that exploitation or a supply chain attack originated in the ERP software.

Why Taiwan?

In August 2022, drone manufacturing in Taiwan got a jumpstart. Taiwan’s central government opened UAV AI Innovation Application R&D Center in Chiayi County and offered a NT$50 million tender for 3,000 commercial-grade drones to be used for military applications.

The race was on. There are now about a dozen companies in Taiwan participating in drone manufacturing, and even more when taking into account the island’s global aerospace industry.

Taiwan’s allegiance to the U.S. and strong technological background make the island a prime target for adversaries interested in military espionage or supply chain attacks.

The extreme growth of the drone industry in the past decade also had an unfortunate side effect: even consumer models are used for military purposes now. They are capable of carrying smaller weapons, as footage reveals from ongoing conflicts around the world.

An investigation into the attacks revealed the use of a long-lasting digital certificate from a company based in Taiwan. All command and control servers, as well as all the companies targeted, were located in Taiwan. As such, it seems likely that this strain of drone attacks is a highly sophisticated, targeted attack with careful planning and execution by the threat actors.

The Taiwan attacks demonstrate that American officials and other global watchdogs worried about unidentified drones have legitimate concerns. With drone manufacturers under attack, vigilance isn’t just a good idea. It’s a necessity.

About TRU

The Acronis Threat Research Unit (TRU) is a team of cybersecurity experts specializing in threat intelligence, AI and risk management.

The TRU team researches emerging threats, provides security insights, and supports IT teams with guidelines, incident response and educational workshops.

See the latest TRU research

Sponsored and written by Acronis.