Image: Nahel Abdul Hadi (unsplash)
An activity group with ties to China has been implicated in cyber incidents targeting multiple organizations in Taiwan in what is believed to be an espionage operation.
The Microsoft Threat Intelligence team monitors the actions of this group, referring to them as Flax Typhoon, but they are also recognized under the pseudonym Ethereal Panda.
Flax Typhoon establishes and preserves prolonged access to Taiwanese entities’ networks, employing minimal malware. Instead, they predominantly use native OS tools and some typically harmless software to discreetly persist within these networks, according to Microsoft.
Microsoft pointed out that they hadn’t noted this group leveraging its access for data gathering and removal purposes. Notably, a significant number of their targets encompass government bodies, academic establishments, vital manufacturing units, and IT entities in Taiwan.
Furthermore, a few victims have been identified in regions such as Southeast Asia, North America, and Africa. This group’s activities are believed to date back to around mid-2021.
Regarding Ethereal Panda, CrowdStrike has indicated that this group’s operations are chiefly aimed at academic, technological, and telecommunication entities in Taiwan. The modus operandi of Ethereal Panda heavily involves the use of SoftEther VPN executables to sustain access to compromised networks. Moreover, there have been instances where the GodZilla web shell was utilized.
This actor’s main strategies center on persistence, lateral maneuvers, and obtaining credentials. They utilize living-off-the-land (LotL) tactics coupled with direct keyboard interactions to achieve their objectives.
Such behaviors are consistent with those of threat actors who regularly modify their techniques to remain undetected, leveraging readily available tools in their targets’ environments, which negates the need to download or create custom elements.
The group gains initial foothold by exploiting identifiable vulnerabilities in externally accessible servers. They then use web shells like China Chopper, secure consistent access via the Remote Desktop Protocol (RDP), set up a VPN bridge connecting to an external server, and accumulate credentials through tools such as Mimikatz.
An intriguing element of these attacks includes adjusting the Sticky Keys function to activate the Task Manager, allowing Flax Typhoon to proceed with post-exploitation activities on the compromised systems.
On instances where Flax Typhoon requires lateral movement to access alternative systems within the compromised network, Microsoft reveals that the actor employs tools like Windows Remote Management (WinRM) and WMIC.
Recent developments follow a disclosure by Microsoft about another China-associated entity dubbed Volt Typhoon, which was found to solely use LotL methods to stealthily exfiltrate data.
Although overlaps in techniques and infrastructure among groups connected to China are not uncommon, these revelations underscore a dynamic and shifting threat environment. The adversaries are evidently refining their expertise, becoming increasingly judicious in their subsequent actions.