In the intricate world of cyber warfare, state-sponsored Advanced Persistent Threat (APT) groups play a long game — one defined by stealth, persistence, and geopolitical motives. Among these groups, Flax Typhoon has emerged as a notable actor due to its unusual low-profile strategies and targeting patterns.
Who Is Flax Typhoon?
Flax Typhoon is a Chinese APT group that primarily targets organizations in Taiwan, though its infrastructure and tactics have implications far beyond the island. This threat actor is believed to operate with espionage and persistent access as its primary objectives rather than quick-impact sabotage or financially motivated attacks.
Goals of Flax Typhoon
Cyber Espionage:
Their main objective appears to be long-term intelligence gathering against Taiwan-based critical sectors, including education, government, and manufacturing.
Persistence Over Destruction:
Unlike ransomware gangs or destructive threat actors, Flax Typhoon focuses on maintaining access to victim networks for extended periods — quietly monitoring activities, extracting sensitive data, and potentially preparing for future disruptive campaigns.
Strategic Positioning:
Their activity aligns with China’s broader geopolitical interests, particularly in maintaining leverage over Taiwan. Persistent access to key networks could be useful in both peacetime surveillance and potential wartime disruption scenarios.
Tactics and Strategies
Flax Typhoon demonstrates a strong preference for “living off the land” techniques, meaning they rely on tools and features already present in operating systems to blend in and evade detection. Key tactics include:
Exploitation of Known Vulnerabilities:
Initial access is often gained through public-facing servers, with known vulnerabilities in web services and applications being common entry points.
Use of Legitimate Tools:
After access, the group avoids deploying traditional malware. Instead, it uses:
- PowerShell scripts
- Remote Desktop Protocol (RDP)
- Windows Management Instrumentation (WMI)
- LOLbins (Living Off the Land Binaries) like cmd.exe, net.exe, sc.exe, and schtasks.exe
Credential Dumping and Lateral Movement:
Once inside, Flax Typhoon often extracts credentials and moves laterally through the network using native Windows tools, reducing their footprint and evading endpoint detection.
Persistence Mechanisms:
Scheduled tasks and legitimate VPN clients (like SoftEther VPN) are often used to maintain stealthy remote access.
Known Incidents and Campaigns
Although Flax Typhoon operates with a high degree of stealth, some of its campaigns have been uncovered:
- Taiwanese Targets (2021–2023)
Microsoft reported that Flax Typhoon had been active in targeting critical infrastructure and education organizations in Taiwan since mid-2021.
Victims included government agencies, IT service providers, and manufacturing companies.
Notably, no malware was deployed, and in many cases, organizations did not detect the intrusion until external researchers notified them.
- SoftEther VPN Abuse
The group was found using SoftEther VPN, a legitimate open-source VPN solution, to tunnel traffic and maintain access to compromised systems — often through modified configurations that masked their presence. - Global Infrastructure Overlap
Although focused on Taiwan, Flax Typhoon infrastructure overlaps with campaigns linked to other Chinese APT groups, raising concerns about shared tooling and coordination.
Defensive Measures
To defend against Flax Typhoon and groups like it, organizations should:
- Regularly patch internet-facing systems.
- Monitor for suspicious use of native tools (e.g., unusual PowerShell activity or new scheduled tasks).
- Implement least-privilege access models and closely audit RDP usage.
- Detect use of uncommon VPN clients or unauthorized tunneling software.
Sources
Microsoft Threat Intelligence – Flax Typhoon: Espionage-focused threat actor targets organizations in Taiwan
BleepingComputer – Flax Typhoon: Chinese hackers use SoftEther VPN to stay stealthy
The Hacker News – Chinese Hackers Target Taiwan With ‘Living off the Land’ Tactics
Recorded Future – APT Profile Overview (internal threat intelligence reports)