Salt Typhoon

Last updated
Salt Typhoon
Formation2020;5 years ago (2020)
Type Advanced persistent threat
Purpose Cyber espionage, counterintelligence, data exfiltration
Location
Affiliations Ministry of State Security

Salt Typhoon is an advanced persistent threat actor operated by China's Ministry of State Security (MSS) which has conducted high profile cyber espionage campaigns, particularly against the United States. The group's operations place an emphasis on counterintelligence targets in the United States and data theft of key corporate intellectual property. The group has infiltrated targets in dozens of other countries on nearly every continent. [1] Former NSA analyst Terry Dunlap has described the group as a "component of China's 100-Year Strategy." [2]

Contents

Organization and attribution

Salt Typhoon is widely understood to be operated by China's Ministry of State Security (MSS), its foreign intelligence service and secret police. [3] [4]

According to Trend Micro, the group is a "well-organized group with a clear division of labor" whereby attacks targeting different regions and industries are launched by distinct actors, suggesting the group consists of various teams, "further highlighting the complexity of the group's operations." [5]

Campaigns

2024 breach of U.S. Internet service provider networks

In late 2024 U.S. officials announced that hackers affiliated with Salt Typhoon had accessed the computer systems of nine U.S.telecommunications companies, later acknowledged to include Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream. [6] [7] [8] The attack targeted U.S. broadband networks, particularly core network components, including routers manufactured by Cisco, which route large portions of the Internet. [3] [4] In October 2024, U.S. officials revealed that the group had compromised internet service provider (ISP) systems used to fulfill CALEA requests used by U.S. law enforcement and intelligence agencies to conduct court-authorized wiretapping. [7]

The hackers were able to access metadata of users calls and text messages, including date and time stamps, source and destination IP addresses, and phone numbers from over a million users; most of which were located in the Washington D.C. metro area. In some cases, the hackers were able to obtain audio recordings of telephone calls made by high profile individuals. [9] Such individuals reportedly included staff of the Kamala Harris 2024 presidential campaign, as well as phones belonging to Donald Trump and JD Vance. [10] According to deputy national security advisor Anne Neuberger, a "large number" of the individuals whose data was directly accessed were "government targets of interest." [9]

In September 2024, reports first emerged that a severe cyberattack had compromised U.S. telecommunications systems. US officials stated that the campaign was likely underway for one to two years prior to its discovery, with several dozen countries compromised in the hack, including those in Europe and the Indo-Pacific. [11] The campaign was reportedly "intended as a Chinese espionage program focused on key government officials [and] key corporate [intellectual property]." [3] [12]

Reactions

According to Foreign Policy , the attack has "hardened anti-China consensus" in the U.S. government. [13] Senator Mark Warner, chairman of the U.S. Senate Select Committee on Intelligence, called the intrusion the "worst telecom hack in our nation’s history", describing it as making prior cyberattacks by Russian actors look like "child’s play" by comparison. [14]

Matthew Pines, director of intelligence at SentinelOne, stated that "the Salt Typhoon hacks will be seen as the worst counterintelligence breach in U.S. history" which "gives MSS bread crumbs to trace back to and cauterize strategically critical U.S. sources and methods." He suggested the data breach is worse than the 2015 hack of the U.S. Office of Personnel Management carried out by the MSS' Jiangsu State Security Department. [15]

In retaliation for the attack, the U.S. Department of Commerce announced it would ban the remaining U.S. operations of China Telecom. The Department of Defense placed Chinese media conglomerate Tencent, shipping giant COSCO, battery manufacturer CATL, semiconductor manufacturer ChangXin Memory Technologies, and drone maker Autel Robotics on a blacklist of "Chinese military companies". [16] The designation can disqualify U.S. businesses which transact with listed companies from future U.S. government contracts. [17]

The Chinese Embassy in Washington, D.C. claimed the allegations were all U.S. efforts to "smear and slander" China. [18]

In January 2025, Office of Foreign Assets Control sanctioned Yin Kecheng of Shanghai and Sichuan Juxinhe Network Technology Co. Ltd. as having "direct involvement" in Salt Typhoon. [19] [20]

Methodology

Salt Typhoon reportedly employs a Windows kernel-mode rootkit, Demodex (name given by Kaspersky Lab [21] ), to gain remote control [22] over their targeted servers. [23] They demonstrate a high level of sophistication and use anti-forensic and anti-analysis techniques to evade detection. [23]

Targets

According to The New York Times , Salt Typhoon is unique in focusing primarily on counterintelligence targets. [24] In addition to U.S. Internet service providers, the Slovak cybersecurity firm ESET says Salt Typhoon has previously broken into hotels and government agencies worldwide. [25] [26]

Tools used

[27]

Name

Salt Typhoon is the name assigned by Microsoft and is the one most widely used to describe the group. [25] The group has also variously been called:

See also

Related Research Articles

<span class="mw-page-title-main">Ministry of State Security (China)</span> Civilian intelligence agency of the Peoples Republic of China

The Ministry of State Security (MSS) is the principal civilian intelligence and security agency and secret police of the People's Republic of China, responsible for foreign intelligence, counterintelligence, and the political security of the Chinese Communist Party (CCP). One of the largest and most secretive intelligence organizations in the world, it maintains powerful branches at the provincial, city, municipality and township levels throughout China. The ministry's headquarters, Yidongyuan, is a large compound in Beijing's Haidian district.

The government of the People's Republic of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA) via its Intelligence Bureau of the Joint Staff Department, and numerous front organizations and state-owned enterprises. It employs a variety of tactics including cyber espionage to gain access to sensitive information remotely, signals intelligence, human intelligence as well as influence operations through united front activity targeting overseas Chinese communities and associations. The Chinese government is also engaged in industrial espionage aimed at gathering information and technology to bolster its economy, as well as transnational repression of dissidents abroad such as supporters of the Tibetan independence movement and Uyghurs as well as the Taiwan independence movement, the Hong Kong independence movement, Falun Gong, pro-democracy activists, and other critics of the Chinese Communist Party (CCP). The United States alleges that the degree of intelligence activity is unprecedented in its assertiveness and engagement in multiple host countries, particularly the United States, with economic damages estimated to run into the hundreds of billions according to the Center for Strategic and International Studies.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

<span class="mw-page-title-main">Chinese espionage in the United States</span>

The United States has often accused the People's Republic of China of attempting to unlawfully acquire U.S. military technology and classified information as well as trade secrets of U.S. companies in order to support China's long-term military and commercial development. Chinese government agencies and affiliated personnel have been accused of using a number of methods to obtain U.S. technology, including espionage, exploitation of commercial entities, and a network of scientific, academic and business contacts. Prominent espionage cases include Larry Wu-tai Chin, Katrina Leung, Gwo-Bao Min, Chi Mak, Peter Lee, and Shujun Wang. The Ministry of State Security (MSS) maintains a bureau dedicated to espionage against the United States, the United States Bureau.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 billion, who eventually sold the FireEye product line, name, and its employees to Symphony Technology Group for $1.2 billion in June 2021.

Cyberwarfare is a part of the Iranian government's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field. Since November 2010, an organization called "The Cyber Defense Command" has been operating in Iran under the supervision of the country's "Passive Civil Defense Organization" which is itself a subdivision of the Joint Staff of Iranian Armed Forces.

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

Cyber spying on universities is the practice of obtaining secrets and information without the permission and knowledge of the university through its information technology system. Universities in the United Kingdom, including Oxford and Cambridge, have been targets, as have institutions in the United States and Australia.

<span class="mw-page-title-main">Russo-Ukrainian cyberwarfare</span> Informatic component of the confrontation between Russia and Ukraine

Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.

Double Dragon is a hacker group with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

Hafnium is a cyber espionage group, sometimes known as an advanced persistent threat, with alleged ties to the Chinese government. Hafnium is closely connected to APT40.

LightBasin, also called UNC1945 by Mandiant, is a suspected Chinese cyber espionage group that has been described as an advanced persistent threat that has been linked to multiple cyberattacks on telecommunications companies. As an advanced persistent threat, they seek to gain unauthorized access to a computer network and remain undetected for an extended period. They have been linked to attacks targeting Linux and Solaris systems.

Volt Typhoon is an advanced persistent threat engaged in cyberespionage reportedly on behalf of the People's Republic of China. Active since at least mid-2021, the group is known to primarily target United States critical infrastructure. Volt Typhoon focuses on espionage, data theft, and credential access.

<span class="mw-page-title-main">Hubei State Security Department</span> Regional branch of Chinas Ministry of State Security

The Hubei State Security Department is the regional branch of the Chinese Ministry of State Security (MSS) responsible for national security and secret policing in Hubei province of central China. Founded in 1993, it is headquartered in the provincial capital of Wuhan, with subordinate offices in cities and towns across the province.

A cyberattack is any unauthorized effort against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

On August 27, 2024, The Washington Post reported that two major internet service providers in the United States had been compromised by China. AT&T, Verizon, Lumen Technologies, and T-Mobile were reported to have been affected by the Salt Typhoon advanced persistent threat linked to China's Ministry of State Security.

The Chinese government has interfered in the 2024 United States elections through propaganda and disinformation campaigns, primarily linked to its Spamouflage influence operation. The efforts come amidst larger foreign interference in the 2024 United States elections.

<span class="mw-page-title-main">2024 United States Department of the Treasury hack</span> Security breach of a U.S. federal department

On December 30, 2024, the United States Department of the Treasury disclosed that it had been hacked by a state-sponsored actor of the People's Republic of China who gained access to unclassified documents.

References

  1. Swan, David (2024-12-05). "The Chinese hack that has Australia on high alert". The Sydney Morning Herald . Retrieved 2024-12-05.
  2. Lyons, Jessica (2024-09-25). "China's Salt Typhoon cyber spies are deep inside US ISPs". The Register . Archived from the original on 2024-10-08. Retrieved 2024-10-08.
  3. 1 2 3 Krouse, Sarah; McMillan, Robert; Volz, Dustin (2024-09-26). "China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack". The Wall Street Journal . Archived from the original on 7 Oct 2024.
  4. 1 2 Nakashima, Ellen (6 October 2024). "China hacked major U.S. telecom firms in apparent counterspy operation". The Washington Post . Archived from the original on 7 October 2024. Retrieved 8 October 2024.
  5. 1 2 Greig, Jonathan (2024-11-25). "China's Salt Typhoon hackers target telecom firms in Southeast Asia with new malware". Recorded Future . Archived from the original on 2024-11-28. Retrieved 2024-12-31.
  6. Ahmed, Deborah (2025-01-07). "US Telecom Breaches Widen as 9 Firms Hit by Chinese Salt Typhoon Hackers". Hackread. Retrieved 2025-01-08.
  7. 1 2 Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal . Archived from the original on 5 Oct 2024.
  8. Krouse, Sarah; Volz, Dustin (November 15, 2024). "T-Mobile Hacked in Massive Chinese Breach of Telecom Networks" . The Wall Street Journal . Retrieved November 15, 2024.
  9. 1 2 Page, Carly (2025-01-06). "Meet the Chinese 'Typhoon' hackers preparing for war". TechCrunch . Retrieved 2025-01-08.
  10. Barrett, Devlin; Swan, Jonathan; Haberman, Maggie (October 25, 2024). "Chinese Hackers Are Said to Have Targeted Phones Used by Trump and Vance". The New York Times . Archived from the original on November 10, 2024. Retrieved October 25, 2024.
  11. Volz, Dustin (December 4, 2024). "Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says" . The Wall Street Journal . Archived from the original on December 4, 2024. Retrieved December 5, 2024.
  12. Tucker, Eric (2024-12-27). "A 9th telecoms firm has been hit by a massive Chinese espionage campaign, the White House says". Associated Press . Retrieved 2024-12-27.
  13. Palmer, James (2025-01-09). "Salt Typhoon Stirs Panic in Washington" . Foreign Policy . Retrieved 2025-01-08.
  14. Nakashima, Ellen (November 21, 2024). "Top senator calls Salt Typhoon 'worst telecom hack in our nation's history'" . The Washington Post . Retrieved December 31, 2024.
  15. Pines, Matthew [@matthew_pines] (2024-12-28). "I think the Salt Typhoon hacks will be seen as the worst counterintelligence breach in US history. Though not reported yet, seems likely that the MSS compromised the FISA "selectors" in US telcos. The fallout from this is unfathomable. FBI NSD damage assessment is max pain rn" (Tweet). Retrieved 2024-12-30 via Twitter.
  16. Sanger, David E. (2024-12-16). "Biden Administration Takes First Step to Retaliate Against China Over Hack". The New York Times . Archived from the original on 2024-12-27. Retrieved 2024-12-31.
  17. Stevenson, Alexandra (2025-01-07). "U.S. Adds Tencent to Chinese Military Companies Blacklist". The New York Times . ISSN   0362-4331 . Retrieved 2025-01-08.
  18. Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal . Archived from the original on 5 Oct 2024.
  19. Johnson, Derek B. (2025-01-17). "Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks". CyberScoop. Retrieved 2025-01-21.
  20. "US Treasury Department imposes sanctions on Chinese company over Salt Typhoon hack". Reuters . 18 January 2025. Retrieved 21 January 2025.
  21. "GhostEmperor: From ProxyLogon to kernel mode". securelist.com. 30 September 2021. Archived from the original on 1 October 2024. Retrieved 8 October 2024.
  22. "GhostEmperor returns with updated Demodex rootkit" (PDF). www.imda.gov.sg - Infocomm Media Development Authority . Retrieved 8 October 2024.
  23. 1 2 "Malpedia: GhostEmperor". Fraunhofer Society . Archived from the original on 2024-10-08. Retrieved 2024-10-08.
  24. Barrett, Devlin (2024-10-26). "What to Know About the Chinese Hackers Who Targeted the 2024 Campaigns". Archived from the original on 2024-12-21. Retrieved 2024-12-31.
  25. 1 2 3 4 Kovacs, Eduard (2024-10-07). "China's Salt Typhoon Hacked AT&T, Verizon: Report". Security Week.
  26. "ESET Research discovers FamousSparrow APT group spying on hotels, governments and private companies". ESET. ESET Newsroom, WeLiveSecurity. Archived from the original on 28 November 2024. Retrieved 6 December 2024.
  27. "Salt Typhoon". FortiGuard . 2024-12-20.
  28. "AT&T, Verizon reportedly hacked to target US govt wiretapping platform". BleepingComputer. Archived from the original on 7 October 2024. Retrieved 8 October 2024.

Notes

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.