Flax Typhoon

Flax Typhoon is a China-linked, PRC state-sponsored threat actor also tracked as Ethereal Panda and Storm-0919. Microsoft described the group as China-based nation-state actors active since 2021, and U.S. officials said the group operated at the direction of the Chinese government. The private sector and U.S. government reporting in the provided content links Flax Typhoon to Beijing-based Integrity Technology Group, which the FBI assessed was responsible for intrusion activity attributed to the group and for developing and controlling the Raptor Train botnet. The group has targeted government agencies, education, critical manufacturing, and information technology organizations in Taiwan, as well as U.S. and foreign corporations, universities, government agencies, telecommunications providers, media organizations, and critical infrastructure. Multiple sources in the content state that Flax Typhoon targeted Taiwan and U.S. critical infrastructure, and Taiwan’s NSB named Flax Typhoon among Chinese groups involved in sustained targeting of sectors including energy, healthcare, communications, government, and technology. A defining element of Flax Typhoon activity in the provided reporting is the use of compromised consumer and edge devices as covert infrastructure. The group was linked to the Raptor Train botnet, which infected more than 200,000 and, in some reporting, more than 260,000 SOHO routers, IP cameras, DVRs, NVRs, NAS devices, modems, and similar IoT/network devices. The botnet was used to disguise malicious traffic as routine internet activity from victim devices and supported targeting of military, government, telecommunications, higher education, defense industrial base, and IT organizations, primarily in the United States and Taiwan. Reporting also states that Flax Typhoon-associated botnet activity included DDoS capability, DDoS attacks, and data theft, and that during the FBI disruption effort, China-based actors launched a DDoS attack against FBI infrastructure. The content also attributes hands-on intrusion tradecraft to Flax Typhoon. ReliaQuest attributed an ArcGIS Server compromise to the group, where the attackers used a malicious ArcGIS Server Object Extension, identified as JavaSimpleRESTSOE, to gain persistence and remote code execution through the ArcGIS Server management console. The persistence mechanism in that case involved a VPN executable named Bridge.exe created by the compromised ArcGIS REST SOE. Separate reporting noted overlap between base64-encoded whoami commands in another China-linked IIS intrusion cluster and a prior Flax Typhoon incident, suggesting shared tradecraft. Flax Typhoon has been reported using legitimate software for stealth and persistence. The content states that actors downloaded and used SoftEther VPN software to obfuscate activity, maintain persistence, and evade detection, including binaries masquerading as legitimate Windows processes such as conhost.exe and dllhost.exe. Additional reporting linked Flax Typhoon to protocol tunneling and abuse of external remote services. Known aliases in the provided content are Ethereal Panda and Storm-0919.