Salt Typhoon: A Deep Dive into a Persistent Cyber Espionage Threat

Salt Typhoon is a Chinese state-sponsored Advanced Persistent Threat (APT) group known for its sophisticated cyber espionage campaigns, primarily targeting the telecommunications, government, and technology sectors. The group’s operations extend beyond intelligence gathering, aiming to exert strategic pressure on adversaries by targeting critical infrastructure and key industries.

Aliases and Affiliations

Salt Typhoon operates under various aliases, including:

• Earth Estries.
• GhostEmperor.
• FamousSparrow.
• UNC2286.
• RedMike.

The group is believed to be affiliated with China’s Ministry of State Security (MSS). Connections to other Chinese APT groups, such as DRBControl, SparklingGoblin, and the Winnti Group, have also been observed, indicating shared methodologies and a coordinated state-backed effort.

Timeline and Key Campaigns

• 2019: Believed to be active since at least 2019, with some suggesting activity as far back as 2017.
• March 2021: Exploited ProxyLogon vulnerabilities in Microsoft Exchange servers.
• Late 2023: Resurfaced with network compromises involving the Demodex rootkit.
• September 2024: Breached US Internet Service Providers (ISPs).
• November 2024: Targeted T-Mobile, exfiltrating customer call records and metadata.
• December 2024 – January 2025: Exploited Cisco IOS XE network devices, targeting telecommunications providers and universities globally.

Target Sectors and Geographic Focus

Salt Typhoon’s targets span various sectors:

• Telecommunications: Wireline and wireless telephone providers, internet service companies.
• Government: Government entities, including those involved in national security and law enforcement.
• Technology: Companies in the information and communication technology sector.
• Hotels: Targeting hotels to monitor the locations of key individuals.
• Various Others: Militaries, solar energy companies, financial institutions, NGOs, international organizations, engineering firms, and law practices.

The group’s geographic focus is broad, encompassing:

• North America: Primarily the United States.
• Southeast Asia: Focused efforts on hotels and telecommunications companies.
• Other Regions: Including Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the United Kingdom.

Tactics, Techniques, and Procedures (TTPs)

Salt Typhoon employs a range of sophisticated TTPs to infiltrate and maintain persistence within target environments:

• Initial Access:
  • Exploiting public-facing applications.
  • Spearphishing attachments.
  • Exploitation of known vulnerabilities.
• Execution:
  • Using command and scripting interpreters like PowerShell.
  • Executing malicious files, such as side-loaded DLLs.
• Persistence:
  • Modifying the registry.
  • Creating or modifying system processes.
  • Kernel-mode malware.
• Privilege Escalation:
  • Exploiting vulnerabilities.
  • Scheduled tasks/jobs.
• Defense Evasion:
  • Obfuscated files or information.
  • Masquerading.
  • Indicator removal.
• Lateral Movement:
  • Exploitation of remote services.
  • Leveraging valid credentials.
• Credential Access:
  • Dumping credentials from password stores and web browsers.
  • Extracting credentials from files.
• Collection:
  • Gathering data from local systems.
  • Monitoring clipboard data.
• Command and Control:
  • Using remote access software.
  • Employing internal proxy servers.
• Impact:
  • Data encrypted for impact (primarily for espionage, not extortion).

Toolset and Malware

Salt Typhoon utilises a diverse toolkit comprising legitimate, custom-made, and borrowed tools:

• Custom Backdoors: SparrowDoor and Demodex.
• Rootkits: Demodex, a Windows kernel-mode rootkit.
• Loaders: SparrowDoor loader.
• Remote Access Trojans (RATs): Masol RAT and SnappyBee (aka Deed RAT).
• Exploitation Tools: Mimikat_ssp (a Mimikatz variant), Get-PassHashes.ps1, GetPwd, Token.exe.
• Living off the Land Binaries (LOLBins): Utilising legitimate system tools to perform malicious activities.
• GhostSpider New backdoor malware.
• Derusbi: A DLL-based backdoor.
• Motnug: A shellcode loader.
• NinjaCopy: Tool to bypass security mechanisms and extract sensitive system files.

The group’s malware often incorporates anti-forensic and anti-analysis techniques to evade detection.

Vulnerabilities Exploited

Salt Typhoon has been known to exploit the following vulnerabilities:

• CVE-2023-46805, CVE-2024-21887 (Ivanti Connect Secure VPN).
• CVE-2023-48788 (Fortinet FortiClient EMS).
• CVE-2022-3236 (Sophos Firewall).
• CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (Microsoft Exchange – ProxyLogon).
• CVE-2023-20198 and CVE-2023-20273 (Cisco IOS XE Software).

Countermeasures and Mitigation Strategies

Defending against Salt Typhoon requires a comprehensive, multi-layered approach:

• Robust Cybersecurity Frameworks: Implementing zero-trust architecture, continuous monitoring, and regular vulnerability assessments.
• Patch Management: Applying security patches promptly, particularly for known vulnerabilities in Cisco devices and other network infrastructure.
• Network Segmentation: Isolating critical systems and implementing strict access control lists (ACLs) to regulate network traffic.
• Threat Intelligence: Sharing threat intelligence and staying informed about Salt Typhoon’s latest TTPs.
• Incident Response: Developing and testing incident response plans to effectively contain and eradicate intrusions.
• Out-of-Band Management: Utilising a physically separate management network to prevent unauthorised access to operational networks.
• Secure by Design Principles: Encourage software manufacturers to embed security throughout the development lifecycle to strengthen the overall security posture of their products.
• Encrypted Communications: Advising individuals concerned about privacy to use encrypted messaging apps and voice communications.

Attribution and Geopolitical Context

Salt Typhoon’s activities align with China’s broader geopolitical objectives, including intelligence collection, monitoring individuals, and potential disruption of adversarial capabilities. The group’s targeting of telecommunications companies enables them to intercept communications, monitor activities, and enhance their intelligence-gathering capabilities.

Conclusion

Salt Typhoon represents a significant and persistent threat to global telecommunications infrastructure and other critical sectors. The group’s advanced TTPs, diverse toolkit, and state-sponsored backing make it a formidable adversary. Organisations must adopt a proactive and multi-layered approach to security, prioritising vulnerability management, network segmentation, and threat intelligence sharing, to effectively defend against this evolving threat. Continuous vigilance and collaboration between public and private sectors are essential to mitigating the risks posed by Salt Typhoon and similar APT groups.