An espionage campaign has been suggested by the identification of a China-based nation-state group in cyberattacks on many Taiwanese entities. This operation is referred to by the Microsoft Threat Intelligence team as Flax Typhoon or Ethereal Panda. Utilizing operating system tools and safe software, this group uses a low-malware strategy to covertly maintain access to Taiwanese networks. Although the gang hasn’t been seen using the access for data exfiltration and collecting, Taiwanese government organizations, educational institutions, important manufacturing companies, and IT companies are among its objectives.
With operations beginning in mid-2021, the alleged espionage group Ethereal Panda has expanded its operations to a lesser number of victims in Southeast Asia, North America, and Africa. The organization focuses on Taiwan’s academic, technological, and telecommunications industries, gaining network access with technologies like SoftEther VPN executables and the Godzilla web shell. In order to accomplish its goals, Ethereal Panda emphasizes persistence, lateral movement, and credential access while utilizing manual interactions and living-off-the-land (LotL) strategies.
The group’s method of operation shows how they have adjusted to changing techniques for avoiding detection, using tools already present in the target environment to avoid the need for downloads and customized components.
Using web shells like China Chopper and exploiting well-known flaws in servers with public-facing interfaces is the first step in the assault process. After that, persistent Distant Desktop Protocol (RDP) access is established, a VPN bridge is built to connect to a distant server, and credentials are collected using Mimikatz.
Intriguingly, Flax Typhoon can perform post-exploitation operations on the compromised machine by altering the behavior of Sticky Keys to launch Task Manager. Living-Off-The-Land Binaries (LOLBins) are used by the gang to move around the hacked network and get access to other systems, such as Windows Remote Management (WinRM) and WMIC.
CrowdStrike published a case study about an Ethereal Panda intrusion in February 2023. It is thought that this actor broke into an unnamed organization using an Apache Tomcat instance, allowing them to list numerous resources on the host and steal credentials using ProcDump and Mimikatz.
These findings highlight a continually dynamic threat landscape as adversaries change their methodologies to execute more accurate follow-on operations, even while the convergence of tactics and infrastructure among threat actors located in China is not unusual.