Salt Typhoon is a Chinese state-sponsored Advanced Persistent Threat (APT) group known for its sophisticated cyber espionage campaigns, primarily targeting the telecommunications, government, and technology sectors. The group’s operations extend beyond intelligence gathering, aiming to exert strategic pressure on adversaries by targeting critical infrastructure and key industries.

Aliases and Affiliations

Salt Typhoon operates under various aliases, including:

• Earth Estries.
• GhostEmperor.
• FamousSparrow.
• UNC2286.
• RedMike.

The group is believed to be affiliated with China’s Ministry of State Security (MSS). Connections to other Chinese APT groups, such as DRBControl, SparklingGoblin, and the Winnti Group, have also been observed, indicating shared methodologies and a coordinated state-backed effort.

Timeline and Key Campaigns

• 2019: Believed to be active since at least 2019, with some suggesting activity as far back as 2017.
• March 2021: Exploited ProxyLogon vulnerabilities in Microsoft Exchange servers.
• Late 2023: Resurfaced with network compromises involving the Demodex rootkit.
• September 2024: Breached US Internet Service Providers (ISPs).
• November 2024: Targeted T-Mobile, exfiltrating customer call records and metadata.
• December 2024 – January 2025: Exploited Cisco IOS XE network devices, targeting telecommunications providers and universities globally.

Target Sectors and Geographic Focus

Salt Typhoon’s targets span various sectors:

• Telecommunications: Wireline and wireless telephone providers, internet service companies.
• Government: Government entities, including those involved in national security and law enforcement.
• Technology: Companies in the information and communication technology sector.
• Hotels: Targeting hotels to monitor the locations of key individuals.
• Various Others: Militaries, solar energy companies, financial institutions, NGOs, international organizations, engineering firms, and law practices.

The group’s geographic focus is broad, encompassing:

• North America: Primarily the United States.
• Southeast Asia: Focused efforts on hotels and telecommunications companies.
• Other Regions: Including Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the United Kingdom.

Tactics, Techniques, and Procedures (TTPs)

Salt Typhoon employs a range of sophisticated TTPs to infiltrate and maintain persistence within target environments:

• Initial Access:
  • Exploiting public-facing applications.
  • Spearphishing attachments.
  • Exploitation of known vulnerabilities.
• Execution:
  • Using command and scripting interpreters like PowerShell.
  • Executing malicious files, such as side-loaded DLLs.
• Persistence:
  • Modifying the registry.
  • Creating or modifying system processes.
  • Kernel-mode malware.
• Privilege Escalation:
  • Exploiting vulnerabilities.
  • Scheduled tasks/jobs.
• Defense Evasion:
  • Obfuscated files or information.
  • Masquerading.
  • Indicator removal.
• Lateral Movement:
  • Exploitation of remote services.
  • Leveraging valid credentials.
• Credential Access:
  • Dumping credentials from password stores and web browsers.
  • Extracting credentials from files.
• Collection:
  • Gathering data from local systems.
  • Monitoring clipboard data.
• Command and Control:
  • Using remote access software.
  • Employing internal proxy servers.
• Impact:
  • Data encrypted for impact (primarily for espionage, not extortion).

Toolset and Malware

Salt Typhoon utilises a diverse toolkit comprising legitimate, custom-made, and borrowed tools:

• Custom Backdoors: SparrowDoor and Demodex.
• Rootkits: Demodex, a Windows kernel-mode rootkit.
• Loaders: SparrowDoor loader.
• Remote Access Trojans (RATs): Masol RAT and SnappyBee (aka Deed RAT).
• Exploitation Tools: Mimikat_ssp (a Mimikatz variant), Get-PassHashes.ps1, GetPwd, Token.exe.
• Living off the Land Binaries (LOLBins): Utilising legitimate system tools to perform malicious activities.
• GhostSpider New backdoor malware.
• Derusbi: A DLL-based backdoor.
• Motnug: A shellcode loader.
• NinjaCopy: Tool to bypass security mechanisms and extract sensitive system files.

The group’s malware often incorporates anti-forensic and anti-analysis techniques to evade detection.

Vulnerabilities Exploited

Salt Typhoon has been known to exploit the following vulnerabilities:

• CVE-2023-46805, CVE-2024-21887 (Ivanti Connect Secure VPN).
• CVE-2023-48788 (Fortinet FortiClient EMS).
• CVE-2022-3236 (Sophos Firewall).
• CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (Microsoft Exchange – ProxyLogon).
• CVE-2023-20198 and CVE-2023-20273 (Cisco IOS XE Software).

Countermeasures and Mitigation Strategies

Defending against Salt Typhoon requires a comprehensive, multi-layered approach:

• Robust Cybersecurity Frameworks: Implementing zero-trust architecture, continuous monitoring, and regular vulnerability assessments.
• Patch Management: Applying security patches promptly, particularly for known vulnerabilities in Cisco devices and other network infrastructure.
• Network Segmentation: Isolating critical systems and implementing strict access control lists (ACLs) to regulate network traffic.
• Threat Intelligence: Sharing threat intelligence and staying informed about Salt Typhoon’s latest TTPs.
• Incident Response: Developing and testing incident response plans to effectively contain and eradicate intrusions.
• Out-of-Band Management: Utilising a physically separate management network to prevent unauthorised access to operational networks.
• Secure by Design Principles: Encourage software manufacturers to embed security throughout the development lifecycle to strengthen the overall security posture of their products.
• Encrypted Communications: Advising individuals concerned about privacy to use encrypted messaging apps and voice communications.

Attribution and Geopolitical Context

Salt Typhoon’s activities align with China’s broader geopolitical objectives, including intelligence collection, monitoring individuals, and potential disruption of adversarial capabilities. The group’s targeting of telecommunications companies enables them to intercept communications, monitor activities, and enhance their intelligence-gathering capabilities.

Conclusion

Salt Typhoon represents a significant and persistent threat to global telecommunications infrastructure and other critical sectors. The group’s advanced TTPs, diverse toolkit, and state-sponsored backing make it a formidable adversary. Organisations must adopt a proactive and multi-layered approach to security, prioritising vulnerability management, network segmentation, and threat intelligence sharing, to effectively defend against this evolving threat. Continuous vigilance and collaboration between public and private sectors are essential to mitigating the risks posed by Salt Typhoon and similar APT groups.

1       Background

Black Basta is a Ransomware-as-a-Service (RaaS) group that first appeared in April 2022 and quickly gained notoriety for targeting various sectors, including construction, healthcare, manufacturing, finance, retail, and entertainment. Black Basta has reportedly compromised over 500 organisations worldwide. The group meticulously chooses its victims to maximise each attack’s impact.

2       Black Basta’s Tactics and Techniques

Black Basta employs a multi-stage attack that leverages a combination of sophisticated techniques and readily available tools to infiltrate, compromise, and extort its targets. The group is known for its use of double extortion, where they not only encrypt a victim’s data but also threaten to release sensitive information publicly if the ransom is not paid.

Here’s a breakdown of the typical attack chain:

2.1      Initial Access

Black Basta utilises various methods to gain a foothold in the target network:

1. Social Engineering: Attackers commonly use phishing emails, posing as IT helpdesk personnel, to trick employees into installing remote access tools like AnyDesk or Quick Assist.
2. Exploiting Vulnerabilities: Black Basta exploits known vulnerabilities like CVE-2024-1709 (ConnectWise) and others to gain initial access or escalate privileges within the network.
3. Insider Information and Purchased Access: The group actively seeks insiders within target organisations or purchases network access from initial access brokers (IABs) on underground forums like Exploit and XSS12.

2.2      Lateral Movement and Credential Harvesting

Once inside, the attackers move laterally to identify and compromise critical systems:

1. Malware Deployment: They deploy tools like QakBot, SystemBC, and Cobalt Strike beacons for credential theft, data exfiltration, and command and control (C2) operations.
2. Credential Dumping: Tools like Mimikatz allow attackers to extract passwords from memory.
3. Exploiting Native Windows Tools: Attackers leverage tools like PowerShell, PsExec, and WMI for executing commands and moving laterally within the compromised network.

2.3      Data Exfiltration and Encryption

Before deploying the ransomware, Black Basta prepares the target environment:

1. Disabling Security Measures: Attackers use PowerShell scripts to disable antivirus software and endpoint detection and response (EDR) systems.
2. Deleting Shadow Copies: They delete shadow copies using the vssadmin.exe tool to prevent system recovery.
3. Exfiltrating Sensitive Data: Tools like RClone and WinSCP are used to transfer stolen data to attacker-controlled servers.

2.4      Encryption and Ransom Demand

The final stage involves deploying the ransomware and demanding payment:

1. Ransomware Deployment: Black Basta’s ransomware typically uses the ChaCha20 encryption algorithm to encrypt files. Encrypted files are appended with a “.basta” extension.
2. Ransom Note: They leave a ransom note, usually named “readme.txt,” which directs victims to a .onion site for ransom negotiations. Black Basta often sets a deadline of 10-12 days for payment before publishing the stolen data on their data leak site, Basta News.

3       Black Basta’s Evolving Sophistication

Black Basta has shown a continuous evolution in its tactics and techniques:

1. Email Bombing and Vishing: The group has incorporated email DDoS (bombing) and vishing (voice phishing) tactics to overwhelm targets with spam emails and trick them into installing remote access tools.
2. Microsoft Teams Exploitation: They leverage Microsoft Teams by creating accounts posing as IT support to contact victims and deceive them into granting access.
3. Targeting Linux Systems: Black Basta has expanded its operations to target Linux-based VMware ESXi virtual machines.

4       Possible Links to Other Threat Actors

There is speculation that Black Basta may have connections to other prominent ransomware groups:

1. Conti: Similarities in tactics, techniques, and procedures (TTPs) suggest a possible link to the now-defunct Conti group.
2. FIN7: The use of a custom EDR evasion tool and overlapping C2 infrastructure points to a potential connection with the FIN7 (Carbanak) group3638.
3. Impact and Mitigation

5       Potential Business Risks

Black Basta’s attacks have had significant consequences for organisations across various areas, such as:

1. Financial Losses: Ransom payments, data recovery costs, and potential legal repercussions contribute to significant financial burdens.
2. Reputational Damage: Data leaks and public exposure of sensitive information can damage an organisation’s reputation and erode customer trust.
3. Operational Disruption: Attacks can disrupt critical business operations, leading to downtime and productivity loss.

6       Risk Mitigation

Organisations can mitigate the risk of Black Basta attacks by:

1. Implementing strong cybersecurity measures: This includes multi-factor authentication, robust firewalls, regular software updates and patching, and effective antivirus and EDR solutions.
2. Employee Training: Educating employees about phishing techniques, social engineering tactics, and best practices for handling suspicious emails is crucial.
3. Robust Backup and Disaster Recovery Plans: Regularly backing up critical data and having a well-defined disaster recovery plan in place can help minimise the impact of an attack.
4. Secure Remote Access: Ensuring that remote access protocols are secure and properly configured is essential to prevent unauthorised access.
5. Proactive Threat Hunting: Using tools like Qualys EDR and implementing threat hunting queries can help detect suspicious activities related to Black Basta and other ransomware threats.

7       Indicators of Compromise  

There is a wide array of indicators that can help identify a potential or ongoing Black Basta ransomware attack. These indicators encompass network activities, file modifications, and suspicious user behaviours.

7.1      Network-Based Indicators

1. Suspicious Domain Naming: Black Basta actors often use Microsoft Teams for social engineering. They create fake accounts with deceptive names like “Help Desk” using fraudulent Entra ID tenants1. The domain names often follow the *.onmicrosoft.com convention, with examples like cybersecurityadmin.onmicrosoft.com and supportserviceadmin.onmicrosoft.com.
2. Command and Control (C2) Communication: Monitor network traffic for communication with known Black Basta C2 domains, many of which utilize Cobalt Strike. Examples include trailshop[.]net, realbumblebee[.]net, and numerous others.
3. Specific IP Addresses: Although threat actors frequently change IP addresses, some recent ones associated with Black Basta activity include 170.130.165[.]73 (likely Cobalt Strike infrastructure), 66.42.118[.]54 (exfiltration server), and others.
4. Tor Network Usage: Black Basta uses Tor hidden services for ransom negotiations and data leak sites. Increased Tor traffic might be an indicator of compromise.

7.2      File-Based Indicators

1. File Extension Modification: Black Basta ransomware typically appends the “.basta” extension to encrypted files. However, they may also use random extensions.
2. Ransom Note Presence: Look for ransom notes, often named “readme.txt,” on the victim’s desktop. The note provides a unique code and instructions to contact the ransomware group via a .onion URL.
3. Unique Encryption Scheme: Black Basta utilizes a specific encryption scheme, prepending each file with a 133-byte ephemeral NIST P-521 public key, a 32-byte key XChaCha20, a 24-byte nonce, and a 20-byte HMAC, followed by null byte padding and a 12-byte campaign identifier.
4. YARA Rules: The sources provide YARA rules that can be used to identify Black Basta ransomware files based on specific strings and file characteristics.

7.3      Behavioural Indicators

1. Sudden Increase in Spam Emails: Black Basta may initiate an attack with email bombing to flood an employee’s inbox with spam, followed by Microsoft Teams contact under the guise of IT help desk support.
2. Requests for Remote Access: Be wary of unsolicited requests for remote access, especially from individuals claiming to be IT support staff.
3. Unexpected Software Installations: Observe for unusual software installations, particularly those disguised as anti-spam programs like AntispamConnectUS.exe.
4. Disabling of Security Software: Black Basta often attempts to disable antivirus and EDR solutions before encrypting files.
5. Deletion of Shadow Copies: Attackers use the vssadmin.exe tool to delete shadow copies to prevent system recovery.

8       Threat Hunting and Mitigation

There are several tools and techniques for hunting for Black Basta activity and mitigating its impact:

1. Qualys EDR Hunting Queries: The sources provide hunting queries specifically designed to detect suspicious activities associated with Black Basta ransomware within the Qualys EDR environment.
2. MITRE ATT&CK Mapping: The sources provide comprehensive mapping of Black Basta’s tactics and techniques to the MITRE ATT&CK framework, allowing security teams to understand the adversary’s behaviour and develop countermeasures.
3. Proactive Security Measures: Implement robust security practices, including strong passwords, multi-factor authentication, regular software updates, and effective security software.
4. Employee Awareness Training: Educate employees on phishing techniques, social engineering tactics, and best practices for secure online behaviour.

9       Conclusion

Black Basta poses a serious and evolving threat to organisations worldwide. Their use of sophisticated tactics, combined with their ability to adapt and innovate, makes them a formidable adversary. By understanding Black Basta’s methods and implementing robust security measures, organisations can reduce their risk of falling victim to their attacks.