In late August, Microsoft published its analysis of espionage activity tied to a new threat actor group called Flax Typhoon, which is believed to operate on behalf of the People’s Republic of China (PRC). The group mainly targets Taiwanese critical infrastructure, including: government, education, manufacturing, and information technology sectors.
With this information in hand, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted SecurityScorecard’s Attack Surface Intelligence tool and a strategic partner’s network flow (NetFlow) data to develop further insight into the group’s activity. These insights revealed additional IP addresses the group may use, and indicated repeated communication between four Chinese IP addresses and an IP address the STRIKE Team previously linked to Flax Typhoon. These IP addresses suggest a link between Flax Typhoon and China’s Fudan University.
The following are the additional, possibly Flax Typhoon-linked IP addresses attributed to Fudan University:
The following IP addresses have links to Fudan University.
By piecing together publicly available information, our team was able to find concerns about the university’s possible role in PRC intelligence and influence going back to at least 2011. For instance, a 2011 article in the Telegraph pointed to the establishment of new “spy schools” by the PRC at Chinese universities including Fudan. A later report also noted collaboration between Fudan University and Zheijiang University, another Chinese university with clearer ties to PRC-backed advanced persistent threats (APTs).
Stepping back, this research suggests links between institutions of higher learning and the Chinese government’s national security apparatus, in terms of both funding, recruitment, and possibly infrastructure. Additionally, Flax Typhoon’s activities reflect broader trends in PRC cyber activity like those discussed in the U.S. Department of Defense’s recently-published 2023 Cyber Strategy. The Strategy identifies the PRC as a “a broad and pervasive cyber espionage threat” to the U.S. and its allies and partners, noting that “effective state control” over its cybersecurity industry and “a large technology industry and workforce” contribute to its capabilities.
Though Flax Typhoon is relatively new (or, newly-identified), its tactics, techniques, and procedures (TTPs) are not, as Chinese nation-state cyberattacks against Taiwanese targets are relatively common. Using Attack Surface Intelligence, SecurityScorecard’s threat researchers were able to identify the group and subsequently share this information to help organizations better defend themselves against attacks and similar threats.
Moving forward, SecurityScorecard recommends that organizations in target sectors and geographies add the above IP addresses to blocklists and update those blocklists regularly. Attack Surface Intelligence and other tools like it can support these efforts by identifying new servers with the same certificates.
The STRIKE team works hard behind the scenes to analyze threats in real-time from across the Internet. We will continue our research efforts into Flax Typhoon’s activities—and the activities linked to other threat actor groups as well.