Inside 'Flax Typhoon': How Chinese APT Quietly Targets Taiwan with Low Malware Presence

Microsoft warns that Chinese spies are hacking into Taiwanese organizations with minimal use of malware and by abusing legitimate software.

The cyber espionage campaign known as Flax Typhoon infiltrates organizations by exploiting known vulnerabilities in publicly accessible servers. It then employs legitimate tools integrated into the Windows operating system and harmless software to discreetly maintain a presence within these networks.

Microsoft issued a research note detailing the Flax Typhoon activities, cautioning that detecting and countering this attack could pose challenges due to its utilization of valid accounts and "living-off-the-land binaries" (LOLBins). The company advised closing or altering compromised accounts and isolating and investigating compromised systems.

Microsoft, headquartered in Redmond, Washington, highlighted the potential for the hacking techniques to be adopted in focused attacks. They urged defenders to actively search for indications of compromise, fully eliminate malicious tools and command-and-control (C2) infrastructure, and review logs for signs of malicious use of compromised accounts.

Microsoft's threat hunting experts have successfully identified a Chinese state-affiliated APT group engaging in cyber intrusions within Taiwanese organizations. This actor employs a strategy of limited malware deployment, relying instead on the manipulation of legitimate software tools to maintain inconspicuous and persistent access.

According to Microsoft's warning, the observed behavior suggests that the threat actor's aim is long-term espionage and sustained access across a diverse range of industries. The hacking group, active since at least mid-2021, has targeted government agencies, education, critical manufacturing, and information technology organizations primarily in Taiwan, with additional victims in Southeast Asia, North America, and Africa.

Microsoft's threat intelligence team disclosed specifics about Flax Typhoon's strategy, including its use of command-line tools to establish persistent access via remote desktop protocol, implementation of a VPN connection to network infrastructure controlled by the attackers, and extraction of credentials from compromised systems.

When Flax Typhoon requires lateral movement to reach other systems within the compromised network, Microsoft identified the APT group's use of LOLBins, such as Windows Remote Management (WinRM) and WMIC.

After achieving persistence, Microsoft revealed that the hackers begin collecting credentials using commonplace tools and methods. This includes targeting the memory of the Local Security Authority Subsystem Service (LSASS) process and the Security Account Manager (SAM) registry hive.