Vast Potential of a New Chinese Espionage Group Targeting Taiwanese Organizations
Category: Threat Actor Activity | Industries: Education, Government, Manufacturing, Technology | Source: Microsoft
Taiwanese organizations are discovered to be in the crosshairs of an espionage operation run by a nation-state threat group linked to the Chinese government, tracked as Flax Typhoon. This revelation is revealed by Microsoft's Threat Intelligence team in their latest report tracing Flax Typhoon's activity as far back as mid-2021. While Taiwan appears to be the focus of Flax Typhoon's campaigns, their activities are observed in other regions, including Southeast Asia, North America, and Africa. Based on Microsoft's research, "Flax Typhoon's observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible." However, the actor's ultimate objective has yet to be captured.
Flax Typhoon emphasizes stealth and employs living-off-the-land techniques to evade defense. "Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks." Microsoft's analysis reveals that Flax Typhoon exploits known vulnerabilities in public-facing servers for initial access and favors tools like China Chopper, Metasploit, the local privilege escalation tool Juicy Potato, Mimikatz, and the SoftEther VPN software.
Notably, "the actor establishes a long-term method of accessing the compromised system using the remote desktop protocol (RDP). To accomplish this, the actor disables network-level authentication (NLA) for RDP, replaces the Sticky Keys binary, and establishes a VPN connection." Despite the persistence of the group's activities, Microsoft has not observed any concrete actions beyond unauthorized access, noting a lack of observed data collection or exfiltration activities. The activity reported by Microsoft for Flax Typhoon is noted to have overlaps with a threat actor CrowdStrike tracks as Ethereal Panda, characterized through the group's "distinctive pattern of malicious activity," aimed at Taiwan. The capabilities showcased by Flax Typhoon's tactics, techniques, and procedures (TTPs), coupled with their potential extensive impact on organizations, motivated Microsoft to publish their report, aiming to enhance detection and awareness within the security community.