SecurityScorecard Identifies Possible Flax Typhoon Infrastructure
Executive Summary
- On August 24, Microsoft published its analysis of espionage activity it attributes to a new threat actor group tracked as Flax Typhoon, which it assesses to act on behalf of the People’s Republic of China.
- Thus far, analysts have mainly observed Flax Typhoon activity in Taiwan.
- It has also appeared in Southeast Asia, North America, and Africa.
- It mainly targets government, education, critical manufacturing, and information technology organizations.
- The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted SecurityScorecard’s Attack Surface Intelligence tool and a strategic partner’s network flow (NetFlow) data to develop further insight into the group’s activity.
- Attack Surface Intelligence has identified a population of servers the group appears to use in addition to those Microsoft identified in its report.
- SecurityScorecard recommends that organizations in target sectors and geographies add the IP addresses corresponding to these servers to blocklists.
Background
Microsoft released a report on espionage activity it attributes to a new threat actor group it tracks as Flax Typhoon, which analysts assess acts on behalf of the People’s Republic of China, on August 24. The report notes that the group overlaps with the advanced persistent threat (APT) tracked as ETHEREAL PANDA, has operated since 2021, and mainly targets Taiwanese organizations in the government, education, manufacturing, and information technology sectors, though it has occasionally also targeted organizations in Southeast Asia, North America, and Africa.
While Microsoft’s report specifically highlights overlaps between Flax Typhoon and ETHEREAL PANDA, the tactics, techniques, and procedures (TTPs) outlined in the report suggest similarities between the activities of Flax Typhoon and other China-linked APTs as well, including the Volt Typhoon and Storm-0558 groups that Microsoft identified earlier in Summer 2023.
Like many Chinese APT groups, analysts have observed Flax Typhoon using the “China Chopper” web shell. Both Volt Typhoon and Flax Typhoon have often relied heavily on living-off-the-land and hands-on-keyboard techniques rather than malware that offers more automation, exploited vulnerabilities in public-facing applications for initial access to target networks, and routed their traffic through compromised small office and home office (SOHO) devices. However, while analysts have observed Flax Typhoon exploiting known vulnerabilities, when Microsoft first announced the discovery of Volt Typhoon, they noted that the group had exploited what was at the time a still-unidentified vulnerability in Fortinet products. Moreover, while Volt Typhoon has mainly targeted critical infrastructure in the US and its territories, most Flax Typhoon activity has thus far focused on Taiwan.
Similarly, while both Flax Typhoon and Storm-0558 have used SoftEther VPN software for communication with victim devices, Storm-0558’s activities have targeted a wider variety of organizations than Flax Typhoon’s. SoftEther has additionally figured largely in the indicators of compromise (IoCs) Microsoft shared in its reports regarding both groups, and, as a result, has proven central to the STRIKE Team’s additional research into Flax Typhoon’s infrastructure.
In addition to other IoCs, Microsoft provided the SHA-1 fingerprints of the TLS certificates corresponding to some Flax Typhoon infrastructure. According to this previous analysis, Flax Typhoon hosted its own SoftEther VPN servers. Their use of the HTTPS protocol for encryption required these servers to display TLS certificates, which included the aforementioned SHA-1 fingerprints, unique cryptographic identifiers corresponding to the specific VPN services to which the certificate refers. The appearance of a certificate with the same fingerprint at a different IP address would therefore indicate the use of the same specific VPN service at that address, which would in turn indicate Flax Typhoon’s use of that IP address, given that the certificates correspond specifically to Flax Typhoon’s SoftEther servers.
Findings
SecurityScorecard’s Attack Surface Intelligence tool has identified a population of servers the group appears to use in addition to those Microsoft identified in its report. Microsoft’s report notes that Flax Typhoon has used its own network infrastructure to host its VPN servers and identifies the TLS certificates in use at these servers. Searching the certificates’ SHA-1 fingerprints in Attack Surface Intelligence revealed that the certificates appear at other IP addresses in addition to those Microsoft listed as IoCs.
The IP addresses below likely represent additional Flax Typhoon network infrastructure, given the use of the same TLS certificates as other Flax Typhoon-linked servers:
7992c0a816246b287d991c4ecf68f2d32e4bca18
- 92.253.235[.]9
- 45.204.1[.]203
- 45.195.149[.]164
- 182.61.132[.]155
- 103.51.145[.]76
5437d0195c31bf7cedc9d90b8cb0074272bc55df
- 120.53.104[.]31
While the available NetFlow data offers fewer obvious insights into Flax Typhoon’s activity than the Attack Surface Intelligence findings discussed above, it may reflect some of the targeting discussed in Microsoft’s report. Somewhat unexpectedly (given Flax Typhoon’s reported focus on Taiwanese organizations), no Taiwanese IP addresses appear in the traffic samples; this may reflect that the group focused on Taiwan more heavily earlier in its period of activity–its targeting of Taiwanese organizations may, for example, have occurred in date ranges earlier than the sampling periods available through SecurityScorecard’s NetFlow tool. However, some IP addresses from the other target regions Microsoft listed (North America, Southeast Asia, and Africa) do appear in the available traffic samples. Although it is unclear whether these addresses correspond to target organizations’ assets, this may indicate that Flax Typhoon targeted organizations outside of Taiwan more recently than it did organizations in Taiwan.
Conclusion
The aspects of Flax Typhoon’s activity that are comparable to other recently-identified APT groups linked to China may suggest that these points of comparison represent wider tendencies among these groups and could therefore offer broader insights into Chinese cyber activity. The use of the China Chopper webshell is both fairly longstanding and common to various other Chinese APTs; Flax Typhoon’s use of it may suggest that it is likely to remain a common tool for China-linked threat actors. Volt Typhoon and Flax Typhoon’s shared use of living-off-the-land and hands-on-keyboard techniques rather than more automation-heavy malware (presumably at the expense of operational speed, which automation may offer) could speak to the groups’ strategic patience. It, and both groups’ use of compromised SOHO devices as proxies, may also speak to their considerable investment in stealth, as might Flax Typhoon and Storm-0558’s use of the SoftEther VPN software.
While communication with SoftEther servers is not necessarily likely to indicate compromise, communication with servers bearing the certificates with the SHA-1 fingerprints Microsoft provided is.
Recommendations
Given the above, SecurityScorecard recommends that organizations in target sectors and geographies add the IP addresses representing Flax Typhoon-linked SoftEther servers to blocklists and update these blocklists regularly; Attack Surface Intelligence and other tools like it can support these efforts by identifying new servers with the same certificates.