CCP-Backed Flax Typhoon Uses Trusted Software Against Victims: Researchers
Udumbara
.
The report highlights how any system with backend access must be treated as a high risk and a top priority, with evolving capabilities that allow hackers to maintain access even when the system is wiped.
“This attack truly stands out for its sheer ingenuity preying on a common security blind spot: the inherent trust placed in legitimate software components,” the report reads.
The group was also responsible for a botnet that corrupted more than 200,000 devices, such as small home routers and DVRs, for use in malicious cyberactivity.
ReliaQuest’s report is a case study of Flax Typhoon’s year-long intrusion into mapping software service ArcGIS. The software visualizes and analyzes spatial data for use, including disaster recovery, urban planning, and emergency management.
This meant compromise of the system could have disrupted critical operations, exposed infrastructure vulnerabilities, or provided a gateway for a cyber-enabled attack into connected critical infrastructure networks.
Flax Typhoon had turned the system’s own software into a persistent backdoor, and was “an attack so unique” it forced the vendor to rewrite its own security guidelines.
“Attackers don’t need their own tools when they can corrupt yours,” the report reads.
According to the researchers, hackers modified the mapping software’s Java server object extension into a web shell, which allows for remote access to a server.
“By gating access with a hardcoded key for exclusive control and embedding it in system backups, they achieved deep, long-term persistence that could survive a full system recovery,” the report reads.
This hardcoding also prevented other hackers or system administrators from “tampering with its access.” While the security teams were hunting for malware, the trusted processes exploited by Flax Typhoon were overlooked.
“This quiet foothold was all they needed for ‘hands-on-keyboard activity,’ enabling malicious command execution, lateral movement, and credential harvesting across multiple hosts,” the report reads.
The foothold extended into the software’s backup and recovery system, turning a “recovery plan into a guaranteed method of infection,” and a “safety net into a liability.”
The technique is in no way limited to ArcGIS, researchers said, but rather a “wake-up call” and “warning about a dangerous gap in security assumptions.”
More and more, these hackers spend time carefully scanning networks, finding ways to acquire administrator privileges to systems, and carrying out malicious activity in ways that mimic legitimate user activity.
In the ArcGIS case, hackers targeted two workstations belonging to IT personnel, which then granted them access to critical authentication data and higher credentials.
ReliaQuest warned that this class of attacks requires a “critical shift in security thinking.”
Rather than asking whether a file is malicious, teams need to know how their applications and software should normally behave in order to detect abnormal behavior.
The long-term access, lateral movement within systems, harvesting of credentials, deployment of web shells, and use of VPNs to create the hackers’ infrastructure were indicators that pointed to the campaign Flax Typhoon, according to researchers.
“Active since at least 2021, Flax Typhoon is known for long periods of dormancy, which it uses to plan and prepare before conducting precise, high-impact attacks,” the report reads.
“The group consistently focuses on critical infrastructure, and it’s highly likely that its re-emergence is not a random event, making this attribution significant for defenders.”
ArcGIS had to rebuild its entire server stack to prevent reinfection, according to the report.
Researchers estimated there was a 55 percent to 70 percent likelihood that Flax Typhoon is already doing something similar in its next victim.
.
