View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 25, 2023updated 29 Aug 2023 10:04am

Chinese cyber-espionage campaign targets dozens of Taiwanese organisations

Researchers have told Tech Monitor that the Flax Typhoon campaign shows a move away from cyber-espionage to "information-ops."

By Claudia Glover

Evidence of a cyber-espionage campaign by Chinese government-linked cybercrime gang Flax Typhoon has been uncovered in dozens of organisations in Taiwan, Microsoft Threat Intelligence has warned. The operation has been active since mid-2021.

Microsoft warned that companies should take heed of the techniques used by Flax Typhoon, as indicators of compromise by the cybercrime gang are so commonplace within a system as to be easily overlooked. Researchers have additionally noted that the Flax Typhoon attacks show a bid for plausible deniability on the part of state-backed cybergangs connected to the Chinese government, alongside a shift in emphasis from basic cyber espionage towards more complex “information-ops”.

The skyline of Taipei, Taiwan. Dozens of Taiwanese businesses have been targeted by Flax Typhoon, a cybercrime gang based in the mainland People's Republic of China.
The skyline of Taipei, Taiwan. Dozens of Taiwanese businesses have been targeted by Flax Typhoon, a cybercrime gang based in the mainland People’s Republic of China. (Photo by Sean Pavone/Shutterstock)

The mainland People’s Republic of China considers Taiwan to be a renegade province and has previously mounted cyber-espionage and DDoS campaigns against the island nation. The goal of Flax Typhoon’s campaign appears not only to garner access to sensitive data but also to “maintain access to organisations across a broad range of industries for as long as possible,” according to Microsoft.  

Industries targeted by Flax Typhoon include manufacturing, education, information technology organisations and government agencies in Taiwan. Microsoft also notes that companies have been targeted in North America, Southeast Asia and Africa.

“Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks,” the post reads. “Microsoft has not observed Flax Typhoon using this access to conduct additional actions.”

The company explained that it is choosing to highlight this activity now to express concern for the potential for further impact to its customers. “Although our visibility into these threats has given us the ability to deploy detections to our customers, the lack of visibility into other parts of the actor’s activity compelled us to drive broader community awareness to further investigations and protections across the security ecosystem,” the blog says. 

Attacks such as these indicate a move away from the Chinese cyber-espionage of yesteryear, explains Alan Liska, Computer Emergency Response Team lead at security company Recorded Future. “What we’re seeing is an expansion of Chinese information-ops, because you still have the traditional espionage, but you are also seeing that more aggressive side,” he told Tech Monitor.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

This is coupled with a bid for plausible deniability within Flax Typhoon’s techniques, he continues. “As you can see from the report, they’re using a lot of off-the-shelf tools, that are readily available that any cybercriminal would use, which gives [the PRC] the ability to somewhat distance themselves from these attacks,” says Liska.

Other “information-ops campaigns”

News of this campaign comes on the heels of another Chinese cybercrime group called Volt Typhoon, which caused international alarm when its malware was detected in different elements of US military infrastructure. In May, cybersecurity agencies from the Five Eyes intelligence alliance also published a notice warning that Volt Typhoon could run undetected in crucial networks for long stretches of time. 

Jen Easterly, current head of the US Cybersecurity and Infrastructure Security Agency (CISA), remarked that the Volt Typhoon attack and others like it indicate a shift in China’s cyber tactics from espionage to aggression.

“We’re talking about decades of intellectual property theft and the greatest transfer of intellectual wealth in decades,” she said. However, the current focus is “less about espionage and more about disruption and destruction,” she told delegates at the Aspen Institute of Culture Summit in June.

The appearance of this kind of threat is why the pooling of threat intelligence has increased throughout 2023, argues Liska. “We see a lot more of this kind of information sharing from security companies and companies that have a security component,” he says. Liska argues that it is no longer acceptable to sequester new findings about groups like Flax Typhoon or Volt Typhoon behind paywalls. “You have to make this information publicly accessible because these kinds of attacks will hurt all of us in the end.”

Read More: Chinese cybercriminals exploiting Fortinet vulnerability – Google Mandiant

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.