Image: Ethan Lin via Unsplash
Image: Ethan Lin via Unsplash

China-based hackers target dozens of Taiwanese organizations in espionage operation, Microsoft warns

A newly identified espionage operation run by hackers linked to China’s government has targeted dozens of organizations in Taiwan since the middle of 2021.

Microsoft on Thursday attributed the campaign to a previously unidentified group it named Flax Typhoon. The goal of the campaign is to not only perform espionage on targeted Taiwanese entities but “maintain access to organizations across a broad range of industries for as long as possible,” the tech giant said.

The group is mainly targeting government agencies and education, critical manufacturing, and information technology organizations in Taiwan, but Microsoft has also seen victims across Southeast Asia, North America and Africa.

“Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks,” the company said in a blog post on Thursday. “Microsoft has not observed Flax Typhoon using this access to conduct additional actions.”

The campaign is one of several similar efforts identified by security researchers since Beijing has strengthened its rhetoric around “reunifying” Taiwan with the Chinese mainland.

Some evidence suggests that there are overlaps in this group’s activity and another group identified by cybersecurity firm Crowdstrike as Ethereal Panda. They added that the group has used “a distinctive pattern of malicious activity” in its attacks on Taiwanese organizations that could be reused in operations targeting other countries.

Microsoft has been at the center of controversies related to several of the Chinese government’s hacking campaigns targeting both U.S. critical infrastructure and the most senior levels of the U.S. government.

Microsoft said it decided to publish this latest report out of “significant concern” for the downstream impact the attacks may have on their customers and because it lacked the “visibility into other parts of the actor’s activity.”

They urged other researchers to investigate their findings in an effort to better protect the broader community and warned that the group is using living-off-the-land binaries and valid accounts – tactics deployed against Microsoft systems that are now facing withering Congressional scrutiny.

These tactics make detection and mitigation extremely difficult and require compromised accounts to be closed or changed, Microsoft explained. Systems that are compromised need to be isolated and investigated as well.

Gaining access and persistence

Flax Typhoon uses a range of technical tools to maintain persistence, gain access to credentials and move laterally through systems to expand their reach.

The group gains initial access by exploiting vulnerabilities in public-facing servers before deploying a VPN connection and collecting credentials from victim systems. Through VPN access they are able to scan systems for other vulnerabilities and the use of legitimate VPN applications makes the connection harder to identify as malicious. The traffic is nearly indistinguishable from legitimate HTTPS traffic, which most network security appliances would not block, Microsoft explained.

“While the actor’s observed behavior suggests Flax Typhoon intends to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign,” they explained.

“Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.”

They urged affected organizations to assess the scale of Flax Typhoon activity in their network, remove malicious tools and check logs for compromised accounts alongside a host of other measures that need to be taken.

Cybersecurity experts have long identified dozens of hacking campaigns targeting Taiwan since the Chinese government made it more explicit that they planned to eventually retake the island – which considers itself a separate county.

Researchers at cybersecurity firm Trellix said in May that they have observed a significant rise in extortion emails aimed at Taiwanese government officials, with a 30-fold increase year-on-year in the number of malicious emails in January.

Last week, researchers at Black Lotus Labs said that it discovered a complex campaign that infected business-grade routers used by Taiwanese organizations and U.S. military websites.

The advisory from Microsoft comes one week after Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly warned that the Chinese government would consider destructive or disruptive attacks on American pipelines, railroads and other critical infrastructure if it believed the U.S. would get involved during a potential invasion of Taiwan.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.