Microsoft says a newly discovered China-based advanced persistent threat (APT) group focused on espionage has targeted “dozens” of organizations in Taiwan.
The group, which is called “Flax Typhoon,” has been operating since mid-2021 and is causing the company “significant concern around the potential for further impact to our customers,” the company’s threat intelligence team said in a blog post on Thursday.
“Flax Typhoon’s observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible,” Microsoft’s post said.
While the group had been observed in North America, Southeast Asia and Africa, it is almost exclusively targeting organizations in Taiwan at present. Microsoft was concerned, however, that the group had developed “techniques that could be easily reused in other operations outside the region."
Fears over nation-state cyberespionage
Microsoft’s decision to share its research on Flax Typhoon comes amid an increase in tensions between China and the West over Taiwan’s future, along with an apparent escalation of Chinese cyberespionage activities in the South China Sea.
In May, Microsoft identified another new China-based APT group, Volt Typhoon, which appeared to be targeting critical infrastructure organizations in Guam – the location of the closest U.S. military base to Taiwan – and elsewhere in the United States.
Last week, Lumen’s Black Lotus Labs disclosed a HiatusRAT malware attack against a range of Taiwan-based organizations and a U.S. Department of Defense server which its researchers said may be aligned with other espionage-focused campaigns linked to China.
Meanwhile, Microsoft has faced tough questions over whether it is adequately protecting its customers from the threats posed by espionage-focused state actors. The Department of Homeland Security’s Cyber Safety Review Board is looking into how threat group Storm-0558 was able to use a private Microsoft encryption key to forge authentication tokens to access the cloud-based email accounts of more than 25 organizations.
Stealthy techniques
Flax Typhoon uses minimal malware, primarily relying on living-off-the-land techniques, such as using tools built into the target’s operating system, and hands-on-keyboard activity to gain and maintain long-term access to Taiwanese victim networks.
Initial access was achieved by exploiting known vulnerabilities in public-facing servers and deploying web shells, including China Chopper.
“Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated,” Microsoft said.
An unusual aspect of Flax Typhoon’s activity was that once the group had established persistence within a victim’s network, it did not appear to carry out further data collection or exfiltration.
“Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.”
U.S. cybersecurity officials have often expressed concern over foreign hacking groups from China, Russia or other hostile countries gaining preemptive access to domestic critical infrastructure networks and other high-value targets. Such footholds can act as a staging ground to launch future cyber attacks at strategic moments or points of high tension between rival countries.
“While the actor’s observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign,” the threat intelligence team wrote.