Microsoft has identified a China-based hacking group, dubbed “Flax Typhoon,” which has been targeting Taiwanese organizations. The group's primary intention appears to be espionage. The campaign has been observed to affect organizations almost exclusively in Taiwan, but the techniques used could be easily repurposed for operations outside the region. Microsoft links this campaign to Flax Typhoon, which has overlaps with another known entity, ETHEREAL PANDA.
According to the official announcement by Microsoft Threat Intelligence, “Microsoft has identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage.” They further emphasized the importance of raising awareness about the techniques used by this threat actor to inform better defenses against future attacks.
Flax Typhoon's approach is unique in that it gains and maintains access to Taiwanese organizations' networks with minimal use of malware. Instead, it relies on tools built into the operating system and some typically benign software to discreetly remain within these networks. Microsoft has not seen Flax Typhoon use this access for additional actions. The group's behavior suggests espionage intentions and a desire to maintain access to organizations across various industries for extended periods. However, Microsoft has not observed Flax Typhoon acting on final objectives in this campaign.
The group has been active since mid-2021 and has targeted various sectors in Taiwan, including government agencies, education, critical manufacturing, and IT organizations. Some victims have also been observed in Southeast Asia, North America, and Africa. Flax Typhoon primarily relies on “living-off-the-land” techniques. They achieve initial access by exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper. After gaining initial access, they use command-line tools to establish persistent access over the remote desktop protocol, deploy a VPN connection to their network infrastructure, and collect credentials from compromised systems.
Microsoft Taking Action Against the Hackers
Microsoft has taken steps to raise awareness about the techniques used by Flax Typhoon to help organizations better defend against future attacks. They have also deployed detections to their customers and are driving broader community awareness to further investigations and protections across the security ecosystem.
To defend against techniques used by Flax Typhoon, organizations are advised to focus on vulnerability and patch management, especially for systems exposed to the public internet. Credential access techniques can also be mitigated with proper system hardening. Affected organizations should assess the scale of Flax Typhoon activity in their network, remove malicious tools, check logs for signs of compromised accounts, and take necessary steps to secure their environments.