Researchers at Microsoft said on Thursday that a hacking group with suspected links to the Chinese government is actively targeting dozens of organizations in Taiwan as part of a cyber espionage campaign.
Flax Typhoon, the name Microsoft uses to describe the group based in China, is working to gain and maintain long-term access to primarily Taiwanese organizations, although some victims have been observed in Southeast Asia, North America and Africa, the company said in a blog post Thursday. The group’s targets include government entities, manufacturing firms and tech companies.
The news comes on the heels of the Biden administration’s approval of a $500 million arms package to Taiwan and a new round of Chinese military drills near the island. Three months ago, Microsoft and a coalition of intelligence agencies revealed that Chinese-linked hackers targeted telecommunications systems in Guam as part of an operation that may have laid the groundwork for severing communications between the United States and its military assets in East Asia.
Thursday’s report from Microsoft describes a fairly stealthy actor that uses minimal amounts of malware in its operations and instead relies on tools already within victim systems, “along with some normally benign software.” Microsoft researchers have not observed the group using its access to Taiwanese systems to conduct additional operations but noted that the group is using “techniques that could be easily reused in other operations outside the region and would benefit from broader industry visibility.”
“Although our visibility into these threats has given us the ability to deploy detections to our customers, the lack of visibility into other parts of the actor’s activity compelled us to drive broader community awareness to further investigations and protections across the security ecosystem,” the company said in its blog.
Flax Typhoon has been active since mid-2021 and is known to use the China Chopper web shell, the researchers noted, which has also been used by Hafnium, a state-backed Chinese hacking group that successfully used multiple zero-day bugs in Microsoft Exchange Server software as part of an espionage campaign revealed in March 2021. Later that year, the FBI hacked victim servers to remove Hafnium malware.
Flax Typhoon has also been observed using Metasploit, a popular penetration testing framework; the Juicy Potato privilege escalation tool; Mimikatz, the data exfiltration tool; and the SoftEther virtual private network (VPN) client, according to Microsoft.