Salt Typhoon

Salt Typhoon
Formation	2020
Type	Advanced persistent threat
Purpose	Cyberwarfare
Location	China;
Affiliations	Chinese government

Salt Typhoon (also known as GhostEmperor^[1], FamousSparrow^[1], or UNC2286^[1]), is an advanced persistent threat actor operated by the Chinese government which conducts cyberespionage campaigns against targets in North America and Southeast Asia. Active since 2020, the group engages in widespread data theft, particularly capturing network traffic. Former NSA analyst Terry Dunlap has called the group "another component of China's 100-Year Strategy."^[2] According to former CISA director Chris Krebs, the group may be affiliated with China's Ministry of State Security.^[3]

Name

GhostEmperor is the name given by Kaspersky Lab.^[4]

FamousSparrow is the name given by ESET.^[4]

Salt Typhoon is the name given by Microsoft.^[4]

UNC2286 is the name given by Mandiant, now part of Google Cloud.^[5]

Methodology

Salt Typhoon reportedly employs a Windows kernel-mode rootkit, Demodex (name given by Kaspersky Lab^[6]) to gain remote control^[7] over their targeted servers.^[1] They demonstrate a high level of sophistication and use anti-forensic and anti-analysis techniques to evade detection.^[1]

Targets

In addition to US internet service providers, the Slovak cybersecurity firm ESET says Salt Typhoon has previously broken into hotels and government agencies worldwide.^[4]

Notable campaigns

September 2024 breach of US internet service provider networks

In September 2024, The Wall Street Journal reported that "in recent months" Salt Typhoon had hacked into US broadband networks, particularly core network components, including routers manufactured by Cisco which route large portions of the internet.^[3]

October 2024 breach of US ISP wiretap systems

"Hackers apparently exfiltrated some data from Verizon networks by reconfiguring Cisco routers"^[8] - The Washington Post

In October 2024, Salt Typhoon was discovered to have exploited backdoors in US internet service provider networks used by law enforcement agencies to facilitate court-authorized wiretapping.^[9] Affected networks included those of AT&T, Verizon and Lumen Technologies.^[9] The Chinese Embassy in Washington, D.C. denied the allegations.^[9]

"There are indications that China’s foreign spy service, the Ministry of State Security, which has long targeted the United States for intelligence, is involved in the breach. Officials internally are referring to it as having been carried out by an arm of the MSS known as Salt Typhoon, a moniker given to the group by Microsoft, which monitors Chinese hacking activity."^[8] - The Washington Post

Reception

"... implies that the attack wasn't against the broadband providers directly, but against one of the intermediary companies that sit between the government CALEA requests and the broadband providers....And here is one more example of a backdoor access mechanism being targeted by the “wrong” eavesdroppers."^[10] - Bruce Schneier

References

^ ^a ^b ^c ^d ^e "Malpedia: GhostEmperor". Fraunhofer Society. Retrieved 2024-10-08.
^ Lyons, Jessica (2024-09-25). "China's Salt Typhoon cyber spies are deep inside US ISPs". The Register.
^ ^a ^b Krouse, Sarah; McMillan, Robert; Volz, Dustin (2024-09-26). "China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack". The Wall Street Journal. Archived from the original on 7 Oct 2024.
^ ^a ^b ^c ^d Kovacs, Eduard (2024-10-07). "China's Salt Typhoon Hacked AT&T, Verizon: Report". Security Week.
^ "AT&T, Verizon reportedly hacked to target US govt wiretapping platform". BleepingComputer. Retrieved 8 October 2024.
^ "GhostEmperor: From ProxyLogon to kernel mode". securelist.com. 30 September 2021. Retrieved 8 October 2024.
^ "GhostEmperor returns with updated Demodex rootkit" (PDF). www.imda.gov.sg - Infocomm Media Development Authority. Retrieved 8 October 2024.
^ ^a ^b Nakashima, Ellen (6 October 2024). "China hacked major U.S. telecom firms in apparent counterspy operation". The Washington Post. Retrieved 8 October 2024.
^ ^a ^b ^c Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal. Archived from the original on 5 Oct 2024.
^ Schneier, Bruce. "China Possibly Hacking US "Lawful Access" Backdoor". www.schneier.com - Schneier on Security. Retrieved 8 October 2024.

[:0-1] "Malpedia: GhostEmperor". Fraunhofer Society. Retrieved 2024-10-08.

[2] Lyons, Jessica (2024-09-25). "China's Salt Typhoon cyber spies are deep inside US ISPs". The Register.

[wsj/2024-09-26-3] Krouse, Sarah; McMillan, Robert; Volz, Dustin (2024-09-26). "China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack". The Wall Street Journal. Archived from the original on 7 Oct 2024.

[sw/ST-att-verizon-4] Kovacs, Eduard (2024-10-07). "China's Salt Typhoon Hacked AT&T, Verizon: Report". Security Week.

[bC/hWTp-5] "AT&T, Verizon reportedly hacked to target US govt wiretapping platform". BleepingComputer. Retrieved 8 October 2024.

[sL/gE-L-K-6] "GhostEmperor: From ProxyLogon to kernel mode". securelist.com. 30 September 2021. Retrieved 8 October 2024.

[imda.sg/updated-demodex-7] "GhostEmperor returns with updated Demodex rootkit" (PDF). www.imda.gov.sg - Infocomm Media Development Authority. Retrieved 8 October 2024.

[wapo/2024/10/06/salt-typhoon-8] Nakashima, Ellen (6 October 2024). "China hacked major U.S. telecom firms in apparent counterspy operation". The Washington Post. Retrieved 8 October 2024.

[:1-9] Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal. Archived from the original on 5 Oct 2024.

[10] Schneier, Bruce. "China Possibly Hacking US "Lawful Access" Backdoor". www.schneier.com - Schneier on Security. Retrieved 8 October 2024.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]