Chinese State Hackers 'Flax Typhoon' Targeting TaiwanLikely Espionage Campaign Focuses on Persistence and Credential Dumping
Chinese state hackers are targeting Taiwanese organizations, likely for espionage, in a difficult-to-detect campaign that relies on Windows utilities for malicious purposes.
Microsoft dubbed the threat actor Flax Typhoon in a Thursday blog post and said the hackers are focused on persistence, lateral movement and credential access.
Flax Typhoon, which overlaps with the hacking group identified by CrowdStrike as Ethereal Panda has been active since at least 2021. Microsoft observed Flax Typhoon victims in Southeast Asia, North America and Africa. Among the victims are government agencies and education, critical manufacturing and information technology organizations in Taiwan.
China claims Taiwan as part of its territory and has not ruled out using force to achieve unification. Tension in the Taiwan Strait tension has increased in recent years, as China has stepped up its military and diplomatic pressure on Taiwan. Microsoft in 2022 charged the Chinese government with likely stockpiling zero-days that they could weaponize in the future for state-backed hacking. Cybersecurity analysts have seen an uptick in hacking attempts against Taiwanese targets although not all of them necessarily come from Beijing (see: Cyberattacks on Taiwan Surge Amid Chinese Aggression).
Flax Typhoon relies on valid accounts and "living off the land" binaries. It achieves initial access by exploiting known vulnerabilities in public-facing servers. "The services targeted vary, but include VPN, web, Java, and SQL applications," Microsoft said. The group's initial payload is a web shell including China Chopper, a popular web shell among Chinese cybercriminals. It also uses privilege escalation tools such as Juicy Potato and Bad Potato.
Once inside a network, Flax Typhoon operators use command-line tools to establish persistent access over the remote desktop protocol and deploy a VPN connection to bad actor-controlled network infrastructure to collect credentials from compromised systems.
The threat actor looks for places where the Windows operating system locally stores hashed passwords, including Local Security Authority Subsystem Service process memory and the Security Account Manager registry hive. Flax Typhoon frequently deploys Mimikatz, which is publicly available malware that can automatically dump improperly secured credentials. Password hashes can be cracked offline or used in pass-the-hash attacks to access other resources on the compromised network, the researchers said.