Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Chinese State Hackers 'Flax Typhoon' Targeting Taiwan

Likely Espionage Campaign Focuses on Persistence and Credential Dumping
Chinese State Hackers 'Flax Typhoon' Targeting Taiwan
An aerial urban landscape view of the Forbidden City in Beijing (Image: Shutterstock)

Chinese state hackers are targeting Taiwanese organizations, likely for espionage, in a difficult-to-detect campaign that relies on Windows utilities for malicious purposes.

Microsoft dubbed the threat actor Flax Typhoon in a Thursday blog post and said the hackers are focused on persistence, lateral movement and credential access.

Flax Typhoon, which overlaps with the hacking group identified by CrowdStrike as Ethereal Panda has been active since at least 2021. Microsoft observed Flax Typhoon victims in Southeast Asia, North America and Africa. Among the victims are government agencies and education, critical manufacturing and information technology organizations in Taiwan.

China claims Taiwan as part of its territory and has not ruled out using force to achieve unification. Tension in the Taiwan Strait tension has increased in recent years, as China has stepped up its military and diplomatic pressure on Taiwan. Microsoft in 2022 charged the Chinese government with likely stockpiling zero-days that they could weaponize in the future for state-backed hacking. Cybersecurity analysts have seen an uptick in hacking attempts against Taiwanese targets although not all of them necessarily come from Beijing (see: Cyberattacks on Taiwan Surge Amid Chinese Aggression).

Flax Typhoon relies on valid accounts and "living off the land" binaries. It achieves initial access by exploiting known vulnerabilities in public-facing servers. "The services targeted vary, but include VPN, web, Java, and SQL applications," Microsoft said. The group's initial payload is a web shell including China Chopper, a popular web shell among Chinese cybercriminals. It also uses privilege escalation tools such as Juicy Potato and Bad Potato.

Once inside a network, Flax Typhoon operators use command-line tools to establish persistent access over the remote desktop protocol and deploy a VPN connection to bad actor-controlled network infrastructure to collect credentials from compromised systems.

The threat actor looks for places where the Windows operating system locally stores hashed passwords, including Local Security Authority Subsystem Service process memory and the Security Account Manager registry hive. Flax Typhoon frequently deploys Mimikatz, which is publicly available malware that can automatically dump improperly secured credentials. Password hashes can be cracked offline or used in pass-the-hash attacks to access other resources on the compromised network, the researchers said.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.