Flax Typhoon

Actor Type Nation State
Attributed to Nation China
Directly Linked Intrusion Sets Ethereal Panda

Flax Typhoon is a cyber intrusion set tracked by researchers at Microsoft Threat Intelligence who attribute the group as a nation-state adversary based in China. The have been observed targeting multiple orgainizations in Taiwan with a likely espionage motive - gaining access to organizations and the demonstrating an intent to maintain access for as long as possible.

Flax Typhoon use living-off-the-land techniques alongside dedicated offensive security tooling such as China Chopper, Metasploit and Mimikatz. The group are also known to use the Soft Ether VPN client.

FlaxTyphoon are believed to overlap with ETHEREAL PANDA (CrowdStrike) and RedJuliett (Recorded Future).

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

Flax Typhoon Threat Reports

Report

Flax Typhoon using legitimate software to quietly access Taiwanese organizations

This blog post by Microsoft Threat Intelligence outlines the Flax Typhoon intrusion set and TTPs demonstrated by the group. It describes the actor ...

View Source

References

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

ATT&CK ID Title Associated Tactics
T1036 Masquerading Defense Evasion
T1546 Event Triggered Execution Persistence, Privilege Escalation
T1059 Command and Scripting Interpreter Execution
T1550 Use Alternate Authentication Material Defense Evasion, Lateral Movement
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1572 Protocol Tunneling Command and Control
T1003 OS Credential Dumping Credential Access
T1505 Server Software Component Persistence
T1190 Exploit Public-Facing Application Initial Access
T1105 Ingress Tool Transfer Command and Control