Full Report
The US government said that China based firm Integrity Technology Group provided infrastructure for Flax Typhoon to attack multiple US targets
Analysis Summary
# Threat Actor: Flax Typhoon
## Attribution & Identity
* **Attribution:** Chinese state-sponsored cyber group.
* **Associated Entity:** Integrity Technology Group (Beijing-based cybersecurity company sanctioned by the US Treasury for enabling Flax Typhoon's activities).
* **Activity Start:** Believed to be active since at least 2021.
## Activity Summary
Flax Typhoon is involved in a large-scale botnet operation reportedly comprising 260,000 devices globally, including infrastructure tied to the sanctioned firm Integrity Technology Group. The group has been responsible for multiple computer intrusions targeting organizations across North America, Europe, Africa, and Asia. The US government views China-state affiliated actors, including Flax Typhoon, as one of the most active and persistent threats to US national security.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploits publicly known vulnerabilities to gain initial access to victim computers.
* **Persistence/Control:** Leverages legitimate remote access software to maintain persistent control over compromised networks.
* **Botnet Operations:** Utilizes a massive botnet potentially for DDoS attacks, network compromise, or malware delivery.
* **Infrastructure Use:** Routinely utilized infrastructure associated with Integrity Technology Group for command and control (C2) and data exchange during exploitation activities (Summer 2022 - Fall 2023).
## Targeting
* **Sectors:** American organizations, including critical infrastructure, and US government systems.
* **Geography:** North America, Europe, Africa, and Asia, with a particular focus on Taiwan.
* **Victims:** Specific organizations are not named outside of the broad category of US critical infrastructure organizations.
## Tools & Infrastructure
* **Malware Families Used:** Mirai malware (variant believed to be used in the botnet).
* **Infected Devices:** Firewalls, Network-Attached Storage (NAS), SoHo routers, and IoT devices (including webcams).
* **Infrastructure (C2, domains, IPs):** Infrastructure tied to Integrity Technology Group was heavily used by the actors for communication between Summer 2022 and Fall 2023.
## Implications
Flax Typhoon poses a persistent and significant threat, particularly to US national security targets and critical infrastructure. Their activity, supported by entities like Integrity Technology Group (which has now been sanctioned), indicates a sophisticated, state-backed effort to gain persistent access to Western networks, potentially for strategic disruption or destruction in the event of geopolitical conflict.
## Mitigations
* Harden defenses against publicly known vulnerabilities, as this is a known initial access vector.
* Monitor and restrict communication with known malicious infrastructure if associated Indicators of Compromise (IOCs) become available.
* Focus protective measures on securing common IoT devices, routers, firewalls, and NAS devices against Mirai-like exploitation.
* Review remote access software usage for signs of compromise or unauthorized persistence mechanisms.