A group of state-sponsored Chinese hackers carried out attacks against dozens of organizations in Taiwan as part of a sophisticated cyber-espionage operation, according to a report by computer software giant Microsoft.
The group, using the code name “Flax Typhoon,” succeeded in maintaining long-term access inside computer networks in Taiwan with the minimal use of malicious software, relying instead on features of the operating systems themselves to maintain access.
“Microsoft attributes this campaign to Flax Typhoon…, a nation-state actor based out of China,” the online report by Microsoft Threat Intelligence released late last week said. The hackers’ behavior “suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible.”
China’s Ministry of State Security is the main civilian agency engaged in cyber espionage. The PLA’s Strategic Support Force also does cyber spying.
Taiwan’s National Security Bureau, the main intelligence service, has said the Chinese military a decade ago shifted its focus from cyberattacks on government institutions to civilian targets, including think tanks, telecommunications service providers, internet providers and traffic signal control systems.
Reports of the latest Chinese cyber operations against Taiwan follow accounts of Beijing hackers penetrating U.S. military and civilian networks, including the State Department. Chinese hackers also gained long-term access to Japanese defense computer networks, according to reports from Asia.
The Taiwan computer intrusions involved techniques that could be easily used in other operations globally, the report said. The hackers used elements of Microsoft’s Windows operating system to gain access; once inside a network, they relied on Windows software to maintain remote access.
“Once Flax Typhoon becomes established on the target system, Microsoft observes the actor conducting credential access activities using common tools and techniques,” the report said, noting that the group has not acted on the access in stealing information.
The techniques used by the group involved what the report said were “living-off-the-land” methods. The intruders employed legitimate software and functions from the compromised network to do their work, surviving inside the system on what is available.
As a result, detecting and countering the attack is expected to be difficult, the report said, adding that compromised accounts must be closed or altered and compromised systems isolated.
Flax Typhoon has been active since mid-2021 and has been spotted conducting cyberattacks on government agencies, universities, critical manufacturing and information technology organizations in Taiwan. The specific identities of the compromised networks were not disclosed.
Chinese cyber and information operations target Taiwan to influence the Taipei government or to prepare for future military operations. Chinese President Xi Jinping has notified the People’s Liberation Army to be ready, if needed, for operations against Taiwan by 2027.
Adm. John Aquilino, commander of the Indo-Pacific Command, told Congress in April that Chinese cyber capabilities deliver “gray zone coercion” and will be used to achieve “decisive military advantage.”
“PLA cyber efforts remain focused on developing capabilities to enable warfare activities targeting U.S. and partner critical civilian electric, energy and water infrastructure to generate chaos and disrupt military operations,” Adm. Aquilino said. “The PLA also actively pursues espionage operations and intellectual property theft through targeted cyber operations.”
In the first quarter of 2023, Taiwan experienced more than 3,000 cyberattacks per week, the highest of any nation, according to a report by the cybersecurity firm Check Point Research. Recent Chinese hacking activity also was detected inside infrastructure networks on Guam, a major U.S. military hub in the Pacific.
Microsoft identified the hacking group behind the Guam intrusions as “Volt Typhoon.”
“Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the company said in May.