At a time when experts worldwide are warning about the increase of state-sponsored cybercrime, a recent collaboration between Paraguay and the United States uncovered and thwarted a serious Chinese-state threat.
A cybersecurity assessment of Paraguayan government networks, conducted with support from U.S. Southern Command (SOUTHCOM), designed to strengthen the security of the South American nation’s critical assets, uncovered that the cyber espionage group Flax Typhoon, linked to the People’s Republic of China (PRC) government, had infiltrated Paraguayan government systems, the Ministry of Information and Communication Technologies (MITIC) and the U.S. Embassy in Paraguay said in a joint November 26 statement.
The disclosure highlights a growing and alarming trend and the risks main culprits China, Russia, Iran, and North Korea pose to national security and public safety, according to recent reports from cybersecurity firms, such as Microsoft, IBM, and Fortinet.
In a November 27 interview with Paraguayan news platform Radio Ñanduti, MITIC Minister Gustavo Villate described the Flax Typhoon cyberattack as a “silent vulnerability” whose objective was to capture sensitive information, mainly strategic, diplomatic, and governmental communications. “These types of attacks not only seek to damage, but also to access confidential data that compromise the country’s operability and international relations,” Villate said.
Cybersecurity partnership
In late 2023, Paraguay and the United States committed to strengthening cybersecurity and digital cooperation. “Building on their close ties and partnership, the two delegations shared their concern over the threat posed by state and non-state actors in cyberspace. The two sides agreed to further strengthen cooperation to prevent, disrupt, and respond to threats,” the joint declaration indicated.
In June 2024, Nathaniel C. Fick, U.S. Cyberspace and Digital Policy ambassador-at-large, announced the allocation of $3.1 million to strengthen the cyber capabilities of the Paraguayan Armed Forces, a vital component in protecting strategic infrastructure and national defense.
The joint cybersecurity review of Paraguayan government networks that uncovered the infiltration of China-backed hacker group Flax Typhoon was carried out as part of a series of initiatives in the framework of digital cooperation between Paraguay and the United States. The joint work highlighted the importance of cooperation among trustworthy and reliable partners in strengthening critical infrastructure.
Minister Villate emphasized that the threat was identified thanks to the work of MITIC and SOUTHCOM, allowing to effectively neutralize it. “Not only did we solve the problem, but we also managed to improve our technical and strategic capabilities in cybersecurity, leaving our digital network more protected than ever,” Villate said.
“These agreements are taking place in an environment marked by China’s increasing reach in the digital sphere in Latin America, where it deploys strategies through covert cyber armies,” Victor Ruiz, founder of the SILIKN cybersecurity center in Mexico, told Diálogo on November 30. “Advanced Persistent Threat [APT] groups, blur the boundaries between state and legal activities.”
An example of these strategies are the intrusions of the Typhoon groups, which operate with a high degree of sophistication, Ruiz added. “When detected, Beijing denies any links, creating uncertainty, making direct attribution difficult, and allowing China to maintain its influence in the shadows, consolidating it as a key player in global espionage,” he added.
APT groups such as Flax Typhon, Salt Typhoon, Volt Typhoon, and Velvet Ant, sponsored by the PRC government, operate with unique strategies, all aligned with China’s broader geopolitical objectives, cybersecurity company Eclypsium, indicated in a recent report. These APT actions include attacks on critical infrastructure and cyber espionage.
Global threat
Paraguay, Taiwan’s last ally in South America, became a target of PRC’s cyber operations.
According to Microsoft, Flax Typhoon, in operation since 2021, has been among the most active APT groups that more specifically targets Taiwan and its allies. The group specializes in long-term espionage, embedding itself within organizations to quietly extract valuable information.
In early September 2024, the FBI announced that it had disrupted a vast PRC state-sponsored hacking operation that involved the installation of malicious software on hundreds of thousands of devices, including cameras, video recorders, and office routers in the United States and abroad, which were used to create a massive network of hijacked computers, known as a botnet, to carry out cybercrimes. The group behind the botnet was none other than Flax Typhoon.
The perpetrators of the attack, FBI Director Chris Wray said during a cyber summit in Washington, D.C., “[are] known as Flax Typhoon, they represent themselves as an information security company, the Integrity Technology Group, but their chairman has publicly admitted that for years his company has collected intelligence and performed reconnaissance for Chinese government security agencies.”
“The Chinese government, through its ministries and state-owned companies such as Huawei and ZTE, collects information on vulnerabilities in globally installed equipment,” Ruiz told Diálogo. “This information is classified and shared with APT groups such as Typhoon, strengthening their espionage and cyberwarfare capabilities.”
Faced with cybersecurity challenges, Paraguay has committed to work closely with international partners such as the United States to protect its digital assets. The U.S.-Paraguay digital alliance includes training Paraguayan professionals in good connectivity practices, MITIC said, as well as the donation of equipment and technological resources, among others. In September, the Organization of American States also trained 50 cybersecurity agents from Paraguayan government agencies in managing and effectively responding to cyber incidents.
“Building strategic alliances with countries that share our vision of a secure and trusted digital environment is essential. This experience has provided us with tools and knowledge that will strengthen our defenses against future attacks,” Villate told Radio Ñanduti. “Digital security is not a destination, but a constantly evolving path, and Paraguay is committed to walk it with determination.”
