Category: Uncategorized

In the escalating cyber conflict between global superpowers, Volt Typhoon has emerged as one of the most stealthy and strategically significant state-aligned APT actors. Believed to be linked to the People’s Republic of China, this group exemplifies a new class of cyber threat — one that blends deep technical capability with long-term geopolitical strategy.

Goals of Volt Typhoon

Volt Typhoon isn’t your typical smash-and-grab cybercrime operation. Instead, their actions point to a far more chilling agenda:

1. Strategic Espionage:
   Their operations are focused on gathering intelligence across U.S. critical infrastructure sectors, including communications, transportation, maritime, and energy.
2. Pre-positioning for Disruption:
   Their long-term persistence inside networks suggests preparation for potential sabotage in the event of future geopolitical conflict — particularly involving Taiwan.
3. Operational Stealth:
   They deliberately avoid loud, flashy malware. Their main goal is to stay undetected for as long as possible, building access footholds that could be activated in a crisis.

Tactics and Strategies

Volt Typhoon’s tradecraft is defined by subtlety and sophistication:

• Living off the Land (LotL):
  The group avoids custom malware and instead uses built-in network administration tools like:
  • PowerShell
  • WMI
  • netsh
  • ipconfig
  • whoami
• Hands-on-Keyboard Intrusions:
  Once inside, Volt Typhoon often manually interacts with compromised systems, suggesting highly skilled operators.
• Credential Access and Lateral Movement:
  They harvest credentials and use them to pivot within the environment — frequently targeting domain controllers and administrator accounts.
• Command and Control (C2):
  Their communications often flow through compromised SOHO (small office/home office) network devices, like routers and firewalls, to obscure their origin.
• Persistence and Evasion:
  The group has demonstrated advanced techniques for avoiding detection, including disabling security logging and clearing event logs.

Notable Incidents and Campaigns

1. U.S. Critical Infrastructure Infiltration (2021–2023)

• In 2023, Microsoft and CISA jointly disclosed that Volt Typhoon had been operating in U.S. critical infrastructure networks — undetected — for up to two years.
• Their targets included Guam, a strategic U.S. military hub in the Pacific.
• No malware was found — instead, attackers used native OS tools and compromised edge devices for stealth.

2. Joint Cybersecurity Advisory (May 2023)

• A rare joint alert was issued by NSA, CISA, FBI, and their international counterparts in the Five Eyes alliance.
• It warned that Volt Typhoon was actively maintaining access in telecommunications, transportation, water, and energy sectors.

3. Router Exploitation for Stealth

• The group routinely exploited outdated Fortinet and Cisco devices to maintain persistence and obscure traffic.
• This allowed Volt Typhoon to use compromised routers as proxy nodes for their operations — hiding their real location and making takedown efforts more difficult.

Defensive Recommendations

To defend against Volt Typhoon, organizations should:

• Harden Edge Devices:
  Patch SOHO routers, firewalls, and VPN appliances. Replace EoL equipment when possible.
• Monitor for LotL Activity:
  Watch for unusual use of PowerShell, WMI, and other administrative tools — especially during off-hours.
• Segment Critical Infrastructure:
  Limit lateral movement opportunities by using network segmentation and access controls.
• Enable Comprehensive Logging:
  Ensure all critical systems and domain controllers are logging security events and cannot have logs tampered with easily.
• Conduct Threat Hunting:
  Look for signs of persistent access, including odd scheduled tasks, new local accounts, or unfamiliar processes running under SYSTEM privileges.

Sources

1. Microsoft Threat Intelligence – Volt Typhoon: State-Aligned Actor Gathers Intelligence on Critical Infrastructure
2. CISA Joint Cybersecurity Advisory – People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
3. The Record – FBI cyber leader: US can’t forget about China’s ‘Typhoon’ groups amid Mideast conflict

In the intricate world of cyber warfare, state-sponsored Advanced Persistent Threat (APT) groups play a long game — one defined by stealth, persistence, and geopolitical motives. Among these groups, Flax Typhoon has emerged as a notable actor due to its unusual low-profile strategies and targeting patterns.

Who Is Flax Typhoon?

Flax Typhoon is a Chinese APT group that primarily targets organizations in Taiwan, though its infrastructure and tactics have implications far beyond the island. This threat actor is believed to operate with espionage and persistent access as its primary objectives rather than quick-impact sabotage or financially motivated attacks.

Goals of Flax Typhoon

Cyber Espionage:
Their main objective appears to be long-term intelligence gathering against Taiwan-based critical sectors, including education, government, and manufacturing.

Persistence Over Destruction:

Unlike ransomware gangs or destructive threat actors, Flax Typhoon focuses on maintaining access to victim networks for extended periods — quietly monitoring activities, extracting sensitive data, and potentially preparing for future disruptive campaigns.

Strategic Positioning:

Their activity aligns with China’s broader geopolitical interests, particularly in maintaining leverage over Taiwan. Persistent access to key networks could be useful in both peacetime surveillance and potential wartime disruption scenarios.

Tactics and Strategies

Flax Typhoon demonstrates a strong preference for “living off the land” techniques, meaning they rely on tools and features already present in operating systems to blend in and evade detection. Key tactics include:

Exploitation of Known Vulnerabilities:
Initial access is often gained through public-facing servers, with known vulnerabilities in web services and applications being common entry points.

Use of Legitimate Tools:

After access, the group avoids deploying traditional malware. Instead, it uses:

• PowerShell scripts
• Remote Desktop Protocol (RDP)
• Windows Management Instrumentation (WMI)
• LOLbins (Living Off the Land Binaries) like cmd.exe, net.exe, sc.exe, and schtasks.exe

Credential Dumping and Lateral Movement:

Once inside, Flax Typhoon often extracts credentials and moves laterally through the network using native Windows tools, reducing their footprint and evading endpoint detection.

Persistence Mechanisms:

Scheduled tasks and legitimate VPN clients (like SoftEther VPN) are often used to maintain stealthy remote access.

Known Incidents and Campaigns

Although Flax Typhoon operates with a high degree of stealth, some of its campaigns have been uncovered:

1. Taiwanese Targets (2021–2023)
   Microsoft reported that Flax Typhoon had been active in targeting critical infrastructure and education organizations in Taiwan since mid-2021.

Victims included government agencies, IT service providers, and manufacturing companies.

Notably, no malware was deployed, and in many cases, organizations did not detect the intrusion until external researchers notified them.

2. SoftEther VPN Abuse
   The group was found using SoftEther VPN, a legitimate open-source VPN solution, to tunnel traffic and maintain access to compromised systems — often through modified configurations that masked their presence.
3. Global Infrastructure Overlap
   Although focused on Taiwan, Flax Typhoon infrastructure overlaps with campaigns linked to other Chinese APT groups, raising concerns about shared tooling and coordination.

Defensive Measures

To defend against Flax Typhoon and groups like it, organizations should:

• Regularly patch internet-facing systems.
• Monitor for suspicious use of native tools (e.g., unusual PowerShell activity or new scheduled tasks).
• Implement least-privilege access models and closely audit RDP usage.
• Detect use of uncommon VPN clients or unauthorized tunneling software.

Sources

Microsoft Threat Intelligence – Flax Typhoon: Espionage-focused threat actor targets organizations in Taiwan

BleepingComputer – Flax Typhoon: Chinese hackers use SoftEther VPN to stay stealthy

The Hacker News – Chinese Hackers Target Taiwan With ‘Living off the Land’ Tactics

Recorded Future – APT Profile Overview (internal threat intelligence reports)

Here is a link to the podcast I did with Patrick Laverty for the Layer 8 Podcast. Patrick also runs the annual Layer 8 Conference, which is focused on OSINT and social engineering. It’s a great conference that won’t break the bank. After listening to the podcast, check out the conference.

https://anchor.fm/layer-8-podcast/episodes/Episode-85-Erich-Kron—Phishing-As-A-Service-e1jmi3a/a-a82vh3l