• Military
• WMD

• Intelligence Menu               

• Systems
• Operations
• Countries
• Hot Documents
• News
• Reports
• Policy
• Budget
• Congress
• Imagery
• Links

• Homeland Security
• Space

Flax Typhoon / ETHEREAL PANDA

In August 2023 Microsoft identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks. Microsoft has not observed Flax Typhoon using this access to conduct additional actions.

Flax Typhoon stands out because it uses Internet of Things (IoT) devices as entry points into its targets’ networks. This APT group has been observed exploiting public-facing servers and leveraging well-known vulnerabilities to gain access. A flood of cheap, insecure electronics from Chinese manufacturers were being sold in the US. People who face threats from a stalker or estranged abusive partner are sometimes spied on through their phones, online platforms, and connected smartphone devices. Insecure Internet of Things (IoT) devices pose a real and tangible threat to Americans. Devices that lack baseline cybersecurity protections, such as Eken’s video doorbells, dramatically increase the entry points for cyberattacks. A compromised device can open a backdoor to personal or enterprise networks.

What makes Flax Typhoon particularly dangerous is its extensive use of compromised IoT devices—such as cameras and DVRs—to build botnets that can be used for command and control (C2) purposes. And once a hacker is in, they can wreak mayhem—identity theft, espionage, and fraud—that costs consumers billions of dollars. This is not a theory, this is a fact. Beyond the risk to individual households, this is a larger threat to our national security. These devices may also become part of a botnet, contributing to large scale attacks.

Flax Typhoon has been active since mid-2021 and has targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan. Some victims have also been observed elsewhere in Southeast Asia, as well as in North America and Africa. Flax Typhoon focuses on persistence, lateral movement, and credential access.

Microsoft attributes this campaign to Flax Typhoon (overlaps with ETHEREAL PANDA), a nation-state actor based out of China. Flax Typhoon’s observed behavior suggests that the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated.

Flax Typhoon is known to use the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther virtual private network (VPN) client. However, Flax Typhoon primarily relies on living-off-the-land techniques and hands-on-keyboard activity. Flax Typhoon achieves initial access by exploiting known vulnerabilities in public-facing servers and deploying web shells like China Chopper. Following initial access, Flax Typhoon uses command-line tools to first establish persistent access over the remote desktop protocol, then deploy a VPN connection to actor-controlled network infrastructure, and finally collect credentials from compromised systems. Flax Typhoon further uses this VPN access to scan for vulnerabilities on targeted systems and organizations from the compromised systems.

Integrity Technology Group (Integrity Tech) is a company based in the PRC with links to the PRC government. Integrity Tech has used China Unicom Beijing Province Network IP addresses to control and manage a botnet. In addition to managing the botnet, these same China Unicom Beijing Province Network IP addresses were used to access other operational infrastructure employed in computer intrusion activities against U.S. victims. FBI has engaged with multiple U.S. victims of these computer intrusions and found activity consistent with the tactics, techniques, and infrastructure associated with the cyber threat group known publicly as Flax Typhoon, RedJuliett, and Ethereal Panda.

The Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA) assess that People’s Republic of China (PRC)-linked cyber actors compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a “botnet”) positioned for malicious activity. The actors may then use the botnet as a proxy to conceal their identities while deploying distributed denial of service (DDoS) attacks or compromising targeted U.S. networks.

Integrity Technology Group, a PRC-based company, controlled and managed a botnet active since mid-2021. The botnet has regularly maintained between tens to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices. Victim devices part of the botnet have been observed in North America, South America, Europe, Africa, Southeast Asia and Australia. While devices aged beyond their end-of-life dates are known to be more vulnerable to intrusion, many of the compromised devices in the Integrity Tech controlled botnet are likely still supported by their respective vendors.

On September 18, 2024, the Federal Bureau of Investigation, in coordination with the Cyber National Mission Force, National Security Agency, and Five Eye partners, published a joint cybersecurity advisory, that highlights the tactics, techniques, and procedures of Flax Typhoon, as well as Integrity Tech's role in supporting its malicious cyber activities.

Flax Typhoon is a state-sponsored Chinese malicious cyber group that has been active since at least 2021, targeting organizations within U.S. critical infrastructure sectors. Flax Typhoon has compromised computer networks in North America, Europe, Africa, and across Asia, with a particular focus on Taiwan. Flax Typhoon exploits publicly known vulnerabilities to gain initial access to victims' computers and then leverages legitimate remote access software to maintain persistent control over their network. Flax Typhoon has targeted victims within a wide range of industries.

Between summer 2022 and fall 2023, Flax Typhoon actors accessed several hosts associated with U.S. and European entities. The actors maliciously used virtual private network software and remote desktop protocols to facilitate this access. In summer 2023, Flax Typhoon compromised multiple servers and workstations at a California-based entity.

FBI, CNMF, NSA, and allied partners released a Joint Cyber Security Advisory to highlight the threat posed by these actors and their botnet activity and to encourage exposed device vendors, owners, and operators to update and secure their devices from being compromised and joining the botnet. Network defenders are advised to follow the guidance in the mitigations section to protect against the PRC-linked cyber actors’ botnet activity. Cyber security companies can also leverage the information in this advisory to assist with identifying malicious activity and reducing the number of devices present in botnets worldwide.

As with similar botnets, this botnet infrastructure is comprised of a network of devices, known as “bots”, which are infected with a type of malware that provides threat actors with unauthorized remote access. A functioning botnet can be used for a variety of purposes, including malware delivery, distributed denial of service (DDoS) attacks, or routing nefarious Internet traffic. The botnet uses the Mirai family of malware, designed to hijack IoT devices such as webcams, DVRs, IP cameras, and routers running Linux-based operating systems.

The Mirai source code was posted publicly on the Internet in 2016, resulting in other hackers creating their own botnets based on the malware. Since that time, various Mirai botnets have been used to conduct DDoS and other malicious activities against victim entities within the United States. The investigated botnet’s customized Mirai malware is a component of a system that automates the compromise of a variety of devices. To recruit a new “bot,” the botnet system first compromises an Internet-connected device using one of a variety of known vulnerability exploits.

Post-compromise, the victim device executes a Mirai-based malware payload from a remote server. Once executed, the payload starts processes on the device to establish a connection with a command-and- control (C2) server using Transport Layer Security (TLS) on port 443. The processes gather system information from the infected device, including but not limited to the operating system version and processor, memory and bandwidth details to send to the C2 server for enumeration purposes. The malware also makes requests to “c.speedtest.net,” likely to gather additional Internet connection details. Some malware payloads were self-deleting to evade detection.

A tier of upstream management servers using TCP port 34125 manage the botnet’s C2 servers. These management servers host a MySQL database which stored information used for the control of the botnet. As of June 2024, this database contained over 1.2 million records of compromised devices, including over 385,000 unique U.S. victim devices, both previously and actively exploited. The management servers hosted an application known as “Sparrow” which allows users to interact with the botnet.

The actors used specific IP addresses registered to China Unicom Beijing Province Network to access this application, including the same IP addresses previously used by Flax Typhoon to access the systems used in computer intrusion activities against U.S.-based victims. The code for the Sparrow application, stored within a Git repository, defines functions that allow registered users to manage and control the botnet and C2 servers, sending tasks to victim devices including DDoS and exploitation commands to grow the botnet. Sparrow also contains functionality providing device vulnerability information to users. A subcomponent called “vulnerability arsenal” also allows users to exploit traditional computer networks through the victim devices in the botnet.

There were at least 50 different Linux operating system versions found among botnet nodes. Based on the operating system versions of the nodes, infected systems include devices that ceased receiving support as early as 2016 to devices that are currently supported. Affected devices were running Linux kernel versions 2.6 through 5.4.

Routers and IoT devices may provide features such as Universal Plug and Play (UPnP), remote management options and file sharing services, which threat actors may abuse to gain initial access or to spread malware to other networked devices. Rebooting a device terminates all running processes, which may remove specific types of malware, such as “fileless” malware that runs in the host’s memory. As a reboot may disrupt legitimate activity, users may need to prepare for service interruptions. Some devices provide scheduled reboot features, enabling reboots to occur at preferred times. If a compromised device fails to respond to reboot commands issued remotely, reboot physically.

On 03 January 2025, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) sanctioned Integrity Technology Group, Incorporated (Integrity Tech), a Beijing-based cybersecurity company, for its role in multiple computer intrusion incidents against U.S. victims. These incidents have been publicly attributed to Flax Typhoon, a Chinese malicious state-sponsored cyber group that has been active since at least 2021, often targeting organizations within U.S. critical infrastructure sectors.

"The Treasury Department will not hesitate to hold malicious cyber actors and their enablers accountable for their actions," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. "The United States will use all available tools to disrupt these threats as we continue working collaboratively to harden public and private sector cyber defenses."

Between summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Tech during their computer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Techinfrastructure.

OFAC is designating Integrity Techpursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, for being responsible for or complicit in, or having engaged in, directly or indirectly cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector.

As a result of this action, all property and interests in property of the designated entity described above that are in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more by one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by OFAC, or exempt, OFAC's regulations generally prohibit all transactions by U.S. persons or within (or transiting) the United States that involve any property or interests in property of designated or otherwise blocked persons.

In addition, financial institutions and other persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action. The prohibitions include the making of any contribution or provision of funds, goods, or services by, to, or for the benefit of any designated person, or the receipt of any contribution or provision of funds, goods, or services from any such person.