In recent years, the cyber espionage landscape has been drastically nurtured by state-sponsored actors with far-fetching geopolitical and economic motives. One of the most infamous names in this remains Flax Typhoon, a Chinese cyber espionage group (also known as Ethereal Panda), which has been actively targeting critical infrastructure, government agencies, universities, and corporations in Taiwan, the U.S., and other parts of the world.

This Threat Research provides a comprehensive analysis of the Flax Typhoon group, their methods, targets, tools, and implications for global cybersecurity. The research also explores the interconnections between the group and Chinese intelligence services, detailing the botnet infrastructure, tactics, tools, and techniques that have enabled them to maintain long-term access to vulnerable networks.

1. Introduction to Flax Typhoon: A Chinese State-Sponsored Threat

Flax Typhoon is part of a broader wave of China-backed cyber activities aimed at espionage, data theft, and disruption of critical infrastructure. The group has been tracked by Microsoft, CrowdStrike, and other cybersecurity agencies under the name Flax Typhoon, and it shares tactics, techniques, and infrastructure with other Chinese APTs (Advanced Persistent Threats), such as Volt Typhoon and Salt Typhoon. Flax Typhoon's activities primarily target Taiwan, but its reach spans North America, Southeast Asia, and Europe, reflecting China’s growing cyber capabilities and strategic ambitions.

Flax Typhoon Attack Flow

The group has been active since at least mid-2021, and its operations are marked by a deliberate and sophisticated approach, relying on living-off-the-land (LotL) techniques, which make detection more challenging for traditional defense systems. These techniques enable the group to maintain long-term access to victim networks, allowing them to collect sensitive information over extended periods.

---

2. Flax Typhoon’s Key Targets and Infrastructure

2.1. Targeted Organizations

Flax Typhoon’s focus has been primarily on Taiwan, a key geopolitical flashpoint for China. The group's primary targets in Taiwan have included:

• Government agencies
• Educational institutions
• Critical manufacturing
• Information technology (IT) organizations

Beyond Taiwan, Flax Typhoon has also targeted organizations across Southeast Asia, North America, and Europe, reflecting the global scope of its operations. Some of the most notable sectors under attack include:

• Telecommunications
• Military and Defense sectors
• Media organizations

These sectors are all critical for national security, making them highly valuable for espionage campaigns aimed at gathering intelligence, sensitive data, and trade secrets.

2.2. Botnet Infrastructure and Control

Flax Typhoon's most notable infrastructure is its botnet, which was dismantled by the FBI in September 2023. The botnet comprised over 260,000 devices, including IoT devices, cameras, routers, and storage devices, spanning multiple continents. This botnet was used to conceal Flax Typhoon’s activities and maintain access to compromised networks.

• Device Control: Flax Typhoon leveraged SoftEther VPN software and China Chopper web shells to maintain persistence and remote access to compromised systems.
• Infiltration Methods: The botnet operated using compromised routers, and other internet-connected devices, which are often difficult to monitor, providing the group with an untraceable method of data exfiltration.

Flax Typhoon’s approach exemplifies how attackers are increasingly relying on IoT devices as a gateway to infiltrate larger networks, making detection harder while increasing the potential impact.

---

3. Tactics, Techniques, and Procedures (TTPs)

3.1. Living-Off-The-Land (LotL) Techniques

One of the defining characteristics of Flax Typhoon’s operations is the use of LotL techniques. By exploiting built-in tools in the operating system and widely available software, Flax Typhoon minimizes the need for custom malware, making it harder to detect. The primary tactics observed include:

• Remote Desktop Protocol (RDP): RDP is used for establishing initial access and maintaining control over compromised systems.
• VPN Bridging: The group uses VPN software, such as SoftEther, to create secure channels to external infrastructure.
• Credential Harvesting: Tools like Mimikatz are used to dump password hashes and escalate privileges within compromised networks.

This low-and-slow approach enables the group to maintain long-term access while staying under the radar of security teams.

3.2. Post-Exploitation and Lateral Movement

After gaining initial access, Flax Typhoon uses several techniques to escalate privileges and move laterally within the compromised network:

• Sticky Keys: The group modifies Sticky Keys behavior to launch Task Manager, which provides local system privileges.
• WinRM and WMIC: These LOLBins (Living-off-the-Land Binaries) are used for lateral movement across the compromised network, facilitating deeper access to sensitive systems.
• Web Shells: China Chopper and other web shells are deployed to maintain access and facilitate post-exploitation activities.

Flax Typhoon’s ability to maneuver laterally within the network without triggering alerts is a clear indicator of their sophisticated techniques and adherence to stealth.

---

4. Flax Typhoon’s Global Impact & Strategic Objectives

4.1. Strategic Espionage

Flax Typhoon’s primary mission is espionage. While their tactics and infrastructure have been linked to traditional cyber-espionage activities, their long-term access to target networks suggests the group is laying the groundwork for future cyber disruptions or destructive attacks if the geopolitical situation escalates, particularly concerning Taiwan.

• Targeting Critical Infrastructure: By maintaining access to critical infrastructure sectors, Flax Typhoon is positioning itself to potentially disrupt services in times of crisis, leveraging its foothold for maximum impact.
• Data Exfiltration: Although Flax Typhoon has not yet weaponized its access to conduct large-scale data exfiltration, the prolonged nature of its infiltrations indicates that espionage and intelligence-gathering remain top priorities.

4.2. Economic and Geopolitical Implications

The continued cyber espionage activities by China-backed hackers have profound economic and geopolitical consequences:

• Intellectual Property Theft: The compromise of technology companies and research institutions allows China to steal intellectual property and gain access to sensitive trade secrets.
• Global Trade Disruption: In a worst-case scenario, if China decides to leverage its cyber capabilities in a crisis, it could disrupt global supply chains and trade.

As China continues to expand its cyber capabilities, the threat to critical infrastructure and private-sector organizations becomes increasingly significant.

---

5. The U.S. Government’s Response and Ongoing Challenges

5.1. Sanctions and Disruptive Measures

In response to Flax Typhoon’s activities, the U.S. government has sanctioned Integrity Technology Group, a Beijing-based cybersecurity company, for its role in facilitating these cyberattacks. The Treasury Department imposed sanctions on the company, freezing its assets and restricting financial interactions with U.S. entities.

Despite these measures, the persistent nature of these state-backed cyber operations suggests that sanctions alone may not be sufficient to counter the growing threat. The FBI and NSA have taken actions, such as botnet takedowns, but Flax Typhoon’s adaptive tactics continue to present challenges for cybersecurity defense teams.

5.2. International Cooperation and Private Sector Collaboration

The growing threat of Flax Typhoon underscores the need for stronger international cooperation and private-public sector collaboration to detect and disrupt cyber-espionage activities:

• Real-time Detection: Governments and private organizations must strengthen their real-time detection capabilities to identify and neutralize such threats quickly.
• Cyber Hygiene: Ensuring basic cybersecurity hygiene—like patching vulnerabilities, implementing strong authentication protocols, and conducting regular audits—is critical in defending against these sophisticated, low-profile attacks.

---

6. Conclusion

Flax Typhoon represents a highly sophisticated and persistent threat that continues to evolve its tactics to maintain long-term access to targeted networks. The group’s reliance on living-off-the-land techniques and minimal malware makes it a difficult adversary for traditional defense systems. As China-backed cyber espionage continues to escalate, the global cybersecurity community must adapt and strengthen its defenses, focusing on collaboration, detection, and prevention.

The sanctions against Integrity Technology Group highlight the growing need to hold entities accountable that enable state-sponsored cyber-espionage. However, the ongoing cybersecurity arms race suggests that Flax Typhoon and similar groups will continue to evolve, and organizations must remain vigilant against the growing threat of nation-state cyber operations.