There are signs of penetration, but no subsequent actions. What is the reasoning behind such an unusual strategy?
Microsoft has announced a new spy operation carried out by Chinese government-linked hackers. The group, dubbed Flax Typhoon by Microsoft, targets dozens of Taiwanese organizations, and the hackers have been active since mid-2021.
The attackers' goal, according to Microsoft, is not only to spy on targeted Taiwanese organizations, but also "to maintain access to organizations across a wide range of industries for as long as possible."
Government agencies, as well as organizations in the fields of education, manufacturing, and information technology, are the primary targets of hackers. However, victims have been reported in Southeast Asia, North America, and Africa.
According to Microsoft, hackers use built-in operating system tools and some legitimate software to remain undetected on targeted organizations' networks. At the same time, the company has not yet observed the hackers' subsequent actions after gaining access.
Flax Typhoon hackers could be acting as Remote Access Brokers (IABs), whose sole purpose is to obtain permanent covert access to the target system, which is then sold to other cybercriminal organizations.
According to reports, the malicious operation in question is just one of several that have come to light since Beijing increased rhetoric about Taiwan's "reunification" with mainland China.
Some evidence suggests that this group's activities overlap with those of another cybercriminal organization known as Ethereal Panda, as identified by Crowdstrike experts.
Microsoft stated that it decided to release this latest report due to "serious concerns" about the subsequent impact such attacks could have on the company's customers, despite the fact that no other aspect of the attacker's activities appeared in the transaction in question.
This no-attack infiltration tactic makes detection and mitigation extremely difficult, necessitating the closure or change of compromised accounts' credentials.
Microsoft advised affected organizations to assess the scope of Flax Typhoon activity on their network, remove malicious tools, and examine logs for compromised accounts.
However, the Redmond company asked other security researchers to read their findings in order to collaborate on finding the best security solution for hundreds of potential victims.