The cyberespionage operation, tagged with the moniker Flax Typhoon, hacks into organizations by exploiting known vulnerabilities in public-facing servers and then using legitimate tools built into the Windows operating system and otherwise benign software to quietly remain in these networks.

“Because this activity relies on valid accounts and living-off-the-land binaries (LOLBins), detecting and mitigating this attack could be challenging. Compromised accounts must be closed or changed. Compromised systems must be isolated and investigated,” Microsoft warned in a research note documenting the Flax Typhoon activities.