Full Report
Chinese state hackers remained undetected in a target environment for more than a year by turning a component in the ArcGIS geo-mapping tool into a web shell. [...]
Analysis Summary
# Threat Actor: Flax Typhoon (Chinese APT Group)
## Attribution & Identity
Attributed by ReliaQuest researchers to a Chinese state-sponsored APT group, with moderate confidence identifying them as **Flax Typhoon**. The group is known for espionage campaigns focusing on establishing long-term, stealthy access using legitimate software. The FBI has previously linked Flax Typhoon to the "Raptor Train" botnet.
## Activity Summary
The primary activity detailed involves a year-long, undetected presence within a target environment by abusing a component of the Esri ArcGIS geo-mapping tool. The attackers achieved this by uploading a malicious Java Server Object Extension (SOE) that functioned as a web shell, accepting commands via a REST API parameter (`layer`) and executing them on an internal ArcGIS server, protected by a hardcoded secret key. Once inside, the group deployed SoftEther VPN Bridge to establish persistence and an outbound HTTPS tunnel, allowing lateral movement and data exfiltration even if the initial web shell was removed. They were observed attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets, indicative of credential harvesting to escalate privileges and move within the Active Directory environment.
## Tactics, Techniques & Procedures
- Abuse of legitimate software functionality (ArcGIS Server Object Extension/SOE) to establish a web shell backdoor.
- Using a REST API parameter (`layer`) to deliver base64-encoded commands to the web shell.
- Installation of SoftEther VPN Bridge as a persistent access mechanism, registered as a Windows service.
- Utilizing outbound HTTPS tunneling on port 443 for command and control (C2), blending with legitimate traffic.
- "Hands-on keyboard" activity observed during privilege escalation attempts (e.g., dumping SAM, security registry keys, LSA secrets).
- Lateral movement attempts involving accessing internal hosts and harvesting credentials (evidenced by the file "pass.txt.lnk").
- Leveraging "living off the land" binaries (mentioned as a general tactic for this actor).
## Targeting
- Sectors: Municipalities, utilities, infrastructure operators (sectors utilizing ArcGIS GIS software). IT organizations and government entities are also noted targets for this group generally.
- Geography: Not explicitly stated for this specific incident, but the group is Chinese state-sponsored.
- Victims: Specific organizations are not named, but the victim environment utilizes public-facing and internal ArcGIS servers.
## Tools & Infrastructure
- Malware families used: SoftEther VPN Bridge (used for persistent C2 tunnel).
- Infrastructure: An outbound HTTPS tunnel established to an attacker-controlled server located at `172.86.113[.]142`.
## Implications
This incident highlights a sophisticated, highly stealthy approach by Flax Typhoon, leveraging specific functionality within widely used enterprise software (ArcGIS SOE) for initial access and persistence. The use of a VPN bridge established *after* initial compromise provides robust, redundant persistence capable of evading immediate detection if the initial web shell is found. This demonstrates a continued focus on long-term espionage and deep network infiltration within critical infrastructure sectors.
## Mitigations
- Rigorous monitoring and auditing of modifications to application extensions (like ArcGIS SOEs) for unauthorized file uploads or suspicious Java code execution paths.
- Review REST API logging for unusual activity on parameters associated with command execution (`layer` in this case).
- Implement strict monitoring for the installation of unauthorized VPN software (like SoftEther) being registered as system services.
- Monitor outbound TLS/HTTPS traffic on port 443 for anomalous connections originating from web servers to unknown external IPs.
- Harden configurations for administrative access to public-facing servers and enforce segmentation between public-facing components and internal data stores.
- Review security events related to credential harvesting utilities or attempts to dump SAM/LSA secrets.