A China-backed advanced persistent threat (APT) group dubbed Flax Typhoon has installed a web of persistent, long-term infections inside dozens of Taiwanese organizations, likely to carry out an extensive cyber espionage campaign — and it did it using only minimal amounts of malware.
According to Microsoft, the state-sponsored cyberattack group is living off the land for the most part, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent operation.
For now, most of the victims of Flax Typhoon are clustered in Taiwan, according to a warning on Flax Typhoon from Microsoft this week. The computing giant isn’t divulging the scope of the attacks, but noted that enterprises beyond Taiwan should be on notice.
The campaign is “using techniques that could be easily reused in other operations outside the region,” it warned. And indeed, in the past, the nation-state threat has targeted a broad range of industries (including government agencies and education, critical manufacturing, and information technology) throughout Southeast Asia, as well as in North America and Africa.
The full scope of the infections’ damage will be difficult to assess, given that “detecting and mitigating this attack could be challenging,” Microsoft warned. “Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated.”
Living Off the Land & Commodity Malware
In contrast to many other APTs who excel at creating and evolving specific arsenals of custom cyberattack tools, Flax Typhoon prefers to take a less identifying route by using off-the-shelf malware and native Windows utilities (aka living off the land binaries, or LOLbins) that are harder to use for attribution.
Its infection routine in the latest spate of attacks observed by Microsoft is as follows:
Interestingly, the APT appears to be biding its time when it comes to executing an endgame, though data exfiltration is the likely goal (rather than the potential kinetic outcomes Microsoft recently flagged for China-sponsored Volt Typhoon activity).
“This pattern of activity is unusual in that minimal activity occurs after the actor establishes persistence,” according to Microsoft’s analysis. “Flax Typhoon’s discovery and credential-access activities do not appear to enable further data-collection and exfiltration objectives. While the actor’s observed behavior suggests Flax Typhoon intents to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”
Protecting Against Compromise
In its post, Microsoft offered a series of steps to take if organizations are compromised and need to assess the scale of Flax Typhoon activity within their networks and remediate an infection. To avoid the situation entirely, organizations should make sure that all public-facing servers are patched and up-to-date, and have additional monitoring and security such as user input validation, file integrity monitoring, behavioral monitoring, and Web application firewalls.
Admins can also monitor the Windows registry for unauthorized changes; monitor for any RDP traffic that could be considered unauthorized; and harden account security with multifactor authentication and other precautions.