In a concerning development, a Chinese-originated nation-state activity group known as Flax Typhoon has been identified in a series of cyber attacks targeting multiple organizations in Taiwan. Microsoft Threat Intelligence, closely monitoring the situation, has linked these activities to Flax Typhoon, also recognized as Ethereal Panda.
The group’s approach stands out for its minimal use of malware, relying instead on operating system tools and seemingly benign software to infiltrate Taiwanese organizations’ networks and maintain access covertly. While the group has not yet been observed utilizing its access for data collection or exfiltration, the majority of its targets encompass governmental bodies, educational institutions, critical manufacturing, and IT organizations in Taiwan.
Ethereal Panda, as described by CrowdStrike, concentrates its efforts on academic, technology, and telecommunications sectors in Taiwan. The group’s tactics emphasize persistence, lateral movement, and the acquisition of credentials, employing living-off-the-land techniques alongside hands-on keyboard activity to achieve its objectives.
Employing a strategy aligned with evolving threat actor practices, Flax Typhoon strategically exploits known vulnerabilities in public-facing servers to initiate its attacks. This includes deploying web shells such as China Chopper, followed by establishing lasting access through techniques like Remote Desktop Protocol (RDP) and deploying VPN bridges to remote servers, all the while harvesting credentials using tools like Mimikatz.
Of note is the modification of Sticky Keys behavior, enabling Flax Typhoon to execute post-exploitation actions on compromised systems. Moreover, the group leverages LOLBins, such as Windows Remote Management (WinRM) and WMIC, for lateral movement within compromised networks. CrowdStrike’s insight also indicates the group’s exploitation of an Apache Tomcat instance, using it to breach an undisclosed organization and subsequently dump credentials using ProcDump and Mimikatz.
These developments follow Microsoft’s previous exposure of another China-linked actor, Volt Typhoon, which relied exclusively on living-off-the-land techniques to exfiltrate data. These findings illuminate the dynamic nature of the cyber threat landscape, showcasing adversaries’ adaptability and underscoring the importance of proactive cybersecurity measures in a constantly evolving environment.
