Full Report
Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system and turned it into a backdoor for more than a year. The activity, per ReliaQuest, is the handiwork of a Chinese state-sponsored hacking group called Flax Typhoon, which is also tracked as Ethereal Panda and RedJuliett. According to the U.S. government, it's assessed to be a publicly-traded
Analysis Summary
# Threat Actor: Flax Typhoon
## Attribution & Identity
Threat actors with ties confirmed to **China**.
Aliases: **Ethereal Panda**, **RedJuliett**.
Attributed Government Association: Chinese state-sponsored hacking group.
Known Corporate Association: Assessed by the U.S. government to be linked to the publicly-traded, Beijing-based company **Integrity Technology Group**.
## Activity Summary
The group has been engaged in a campaign exploiting public-facing **ArcGIS Server** installations for over a year to establish long-term persistence. The activity involved exploiting a vulnerability (implied, leading to the deployment of a malicious SOE) to compromise an ArcGIS system. The core objective appears to be deep access and establishing a covert network presence for potential lateral movement and data exfiltration. The campaign demonstrated high sophistication by weaponizing legitimate system functionality (ArcGIS Java Servlet Object Extension - SOE) and using **Living-Off-the-Land (LotL)** techniques.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Exploiting an ArcGIS Server component by compromising a portal administrator account and deploying a malicious Java Server Object Extension (SOE).
- **Persistence:** Modifying the legitimate ArcGIS extension (`JavaSimpleRESTSOE`) to act as a web shell, gated by a hardcoded key, and embedding access within system backups for long-term persistence capable of surviving system recovery.
- **Defense Evasion:** Extensive use of **Living-Off-the-Land (LotL)** methods and obscuring command execution via REST operations on the public portal.
- **Persistence Mechanism:** Renaming the **SoftEther VPN executable** to **`bridge.exe`** and placing it in the `%System32%` folder.
- **Persistence Mechanism:** Creating a service named **"SysBridge"** to launch the malicious binary on every server reboot.
- **Command and Control (C2):** Establishing a covert VPN channel using the compromised legitimate SoftEther VPN software.
- **Lateral Movement:** Targeting two workstations belonging to IT personnel to harvest credentials and further infiltrate the network, including resetting administrative passwords.
## Targeting
- Sectors: Not explicitly detailed, but the exploitation of ArcGIS Server suggests targeting organizations utilizing Esri's GIS infrastructure (e.g., government, utilities, defense contractors, mapping organizations).
- Geography: Not explicitly detailed.
- Victims: Organizations operating public-facing **ArcGIS Servers**. The activity specifically focused on compromising IT personnel workstations post-initial access.
## Tools & Infrastructure
- **Malware Families Used:** Modified **ArcGIS Java Server Object Extension (SOE)** acting as a web shell.
- **Legitimate Tool Weaponization:** **SoftEther VPN executable** renamed to `bridge.exe`.
- **Infrastructure (C2):** Establishing outbound HTTPS connections over **port 443** to an attacker-controlled IP address to maintain the covert VPN channel.
## Implications
Flax Typhoon exhibits high levels of **creativity and sophistication**, moving beyond traditional malware delivery by weaponizing trusted, legitimate server components (ArcGIS SOEs). This technique allows the group to achieve deep, long-term persistence while blending significantly with normal server traffic, posing a severe challenge to standard, signature-based detection methods. The successful establishment of a persistent, covert VPN bridge indicates an objective focused on sustained intelligence gathering or operational control over compromised networks.
## Mitigations
- **Application Hardening:** Rigorously vet and restrict modifications to application extensions or server components, especially for publicly-facing services like ArcGIS Server.
- **Access Control:** Implement strong security around administrative accounts used for system components; monitor for unexpected password resets.
- **Network Visibility:** Monitor for unusual outbound connections originating from core infrastructure services (like processes running from System32 or services established by legitimate applications), specifically looking for outbound HTTPS traffic tunneling to external IPs associated with C2 activity (potential VPN connections).
- **Monitoring:** Focus detection efforts not just on file execution, but on the *manipulation* of legitimate software components (LotL techniques) and unusual service creation.