Evidence of a cyber-espionage campaign by Chinese government-linked cybercrime gang Flax Typhoon has been uncovered in dozens of organisations in Taiwan, Microsoft Threat Intelligence has warned. The operation has been active since mid-2021.
Microsoft warned that companies should take heed of the techniques used by Flax Typhoon, as indicators of compromise by the cybercrime gang are so commonplace within a system as to be easily overlooked. Researchers have additionally noted that the Flax Typhoon attacks show a bid for plausible deniability on the part of state-backed cybergangs connected to the Chinese government, alongside a shift in emphasis from basic cyber espionage towards more complex “information-ops”.
The mainland People’s Republic of China considers Taiwan to be a renegade province and has previously mounted cyber-espionage and DDoS campaigns against the island nation. The goal of Flax Typhoon’s campaign appears not only to garner access to sensitive data but also to “maintain access to organisations across a broad range of industries for as long as possible,” according to Microsoft.
Industries targeted by Flax Typhoon include manufacturing, education, information technology organisations and government agencies in Taiwan. Microsoft also notes that companies have been targeted in North America, Southeast Asia and Africa.
“Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks,” the post reads. “Microsoft has not observed Flax Typhoon using this access to conduct additional actions.”
The company explained that it is choosing to highlight this activity now to express concern for the potential for further impact to its customers. “Although our visibility into these threats has given us the ability to deploy detections to our customers, the lack of visibility into other parts of the actor’s activity compelled us to drive broader community awareness to further investigations and protections across the security ecosystem,” the blog says.
Attacks such as these indicate a move away from the Chinese cyber-espionage of yesteryear, explains Alan Liska, Computer Emergency Response Team lead at security company Recorded Future. “What we’re seeing is an expansion of Chinese information-ops, because you still have the traditional espionage, but you are also seeing that more aggressive side,” he told Tech Monitor.
This is coupled with a bid for plausible deniability within Flax Typhoon’s techniques, he continues. “As you can see from the report, they’re using a lot of off-the-shelf tools, that are readily available that any cybercriminal would use, which gives [the PRC] the ability to somewhat distance themselves from these attacks,” says Liska.
Other “information-ops campaigns”
News of this campaign comes on the heels of another Chinese cybercrime group called Volt Typhoon, which caused international alarm when its malware was detected in different elements of US military infrastructure. In May, cybersecurity agencies from the Five Eyes intelligence alliance also published a notice warning that Volt Typhoon could run undetected in crucial networks for long stretches of time.
Jen Easterly, current head of the US Cybersecurity and Infrastructure Security Agency (CISA), remarked that the Volt Typhoon attack and others like it indicate a shift in China’s cyber tactics from espionage to aggression.
“We’re talking about decades of intellectual property theft and the greatest transfer of intellectual wealth in decades,” she said. However, the current focus is “less about espionage and more about disruption and destruction,” she told delegates at the Aspen Institute of Culture Summit in June.
The appearance of this kind of threat is why the pooling of threat intelligence has increased throughout 2023, argues Liska. “We see a lot more of this kind of information sharing from security companies and companies that have a security component,” he says. Liska argues that it is no longer acceptable to sequester new findings about groups like Flax Typhoon or Volt Typhoon behind paywalls. “You have to make this information publicly accessible because these kinds of attacks will hurt all of us in the end.”