Salt Typhoon

Last updated
Salt Typhoon
Formation2020;4 years ago (2020)
Type Advanced persistent threat
Purpose Cyberwarfare
Location
Affiliations Chinese government

Salt Typhoon (also known as GhostEmperor, [1] FamousSparrow, [1] , or UNC2286 [1] ) is an advanced persistent threat actor that is reported to be operated by the Chinese government to conduct cyberespionage campaigns against targets in North America and Southeast Asia. Active since 2020, the group engages in widespread data theft, particularly capturing network traffic. [2] Former NSA analyst Terry Dunlap has called the group "another component of China's 100-Year Strategy." [3] According to former CISA director Chris Krebs and other U.S. officials, the group is affiliated with China's Ministry of State Security. [4] [5]

Contents

Name

Ghost Emperor is the name given by Kaspersky Lab. [6]

FamousSparrow is the name given by ESET. [6]

Salt Typhoon is the name given by Microsoft. [6]

UNC2286 is the name given by Mandiant, now part of Google Cloud. [7]

Methodology

Salt Typhoon reportedly employs a Windows kernel-mode rootkit, Demodex (name given by Kaspersky Lab [8] ) to gain remote control [9] over their targeted servers. [1] They demonstrate a high level of sophistication and use anti-forensic and anti-analysis techniques to evade detection. [1]

Targets

In addition to US internet service providers, the Slovak cybersecurity firm ESET says Salt Typhoon has previously broken into hotels and government agencies worldwide. [6] [10]

Notable campaigns

September 2024 breach of US internet service provider networks

In September 2024, The Wall Street Journal reported that "in recent months" Salt Typhoon had hacked into US broadband networks, particularly core network components, including routers manufactured by Cisco which route large portions of the internet. [4]

October 2024 breach of US ISP wiretap systems

"Hackers apparently exfiltrated some data from Verizon networks by reconfiguring Cisco routers" [5] - The Washington Post

In October 2024, Salt Typhoon was discovered to have exploited backdoors in US internet service provider networks used by law enforcement agencies to facilitate court-authorized wiretapping. [11] Affected networks included those of AT&T, Verizon, Lumen Technologies, and T-Mobile. [11] [12] The Chinese Embassy in Washington, D.C. denied the allegations. [11]

"There are indications that China’s foreign spy service, the Ministry of State Security, which has long targeted the United States for intelligence, is involved in the breach. Officials internally are referring to it as having been carried out by an arm of the MSS known as Salt Typhoon, a moniker given to the group by Microsoft, which monitors Chinese hacking activity." [5] - The Washington Post

In October 2024, The Washington Post reported that the U.S. federal government formed a multi-agency team to address the hack. [13] The same month, The New York Times reported that Salt Typhoon attempted to and may have gained access to the phones of staff of the Kamala Harris 2024 presidential campaign as well as those of Donald Trump and JD Vance. [14]

Reception

"... implies that the attack wasn't against the broadband providers directly, but against one of the intermediary companies that sit between the government CALEA requests and the broadband providers....And here is one more example of a backdoor access mechanism being targeted by the “wrong” eavesdroppers." [15] - Bruce Schneier

See also

Related Research Articles

Wiretapping, also known as wire tapping or telephone tapping, is the monitoring of telephone and Internet-based conversations by a third party, often by covert means. The wire tap received its name because, historically, the monitoring connection was an actual electrical tap on an analog telephone or telegraph line. Legal wiretapping by a government agency is also called lawful interception. Passive wiretapping monitors or records the traffic, while active wiretapping alters or otherwise affects it.

A backdoor is a typically covert method of bypassing normal authentication or encryption in a computer, product, embedded device, or its embodiment. Backdoors are most often used for securing remote access to a computer, or obtaining access to plaintext in cryptosystems. From there it may be used to gain access to privileged information like passwords, corrupt or delete data on hard drives, or transfer information within autoschediastic networks.

The Communications Assistance for Law Enforcement Act (CALEA), also known as the "Digital Telephony Act," is a United States wiretapping law passed in 1994, during the presidency of Bill Clinton.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a software company specializing in cybersecurity. ESET's security products are made in Europe and provides security software in over 200 countries and territories worldwide. Its software is localized into more than 30 languages.

The Government of China is engaged in espionage overseas, directed through diverse methods via the Ministry of State Security (MSS), the Ministry of Public Security (MPS), the United Front Work Department (UFWD), People's Liberation Army (PLA) via its Intelligence Bureau of the Joint Staff Department, and numerous front organizations and state-owned enterprises. It employs a variety of tactics including cyber espionage to gain access to sensitive information remotely, signals intelligence, human intelligence as well as influence operations through united front activity targeting overseas Chinese communities and associations. The Chinese government is also engaged in industrial espionage aimed at gathering information and technology to bolster its economy, as well as transnational repression of dissidents abroad such as supporters of the Tibetan independence movement and Uyghurs as well as the Taiwan independence movement, the Hong Kong independence movement, Falun Gong, pro-democracy activists, and other critics of the Chinese Communist Party (CCP). The United States alleges that the degree of intelligence activity is unprecedented in its assertiveness and engagement in multiple host countries, particularly the United States, with economic damages estimated to run into the hundreds of billions according to the Center for Strategic and International Studies.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">Verizon</span> American telecommunications company

Verizon Communications Inc., is an American telecommunications company headquartered in New York City. It is the world's second-largest telecommunications company by revenue and its mobile network is the largest wireless carrier in the United States, with 114.2 million subscribers as of September 30, 2024.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

The Network Crack Program Hacker Group is a Chinese hacker group based out of Zigong in Sichuan Province. While the group first gained notoriety after hacking 40% of the hacker association websites in China, their attacks grew in sophistication and notoriety through 2006 and received international media attention in early 2007. iDefense linked the GinWui rootkit, developed by their leader Tan Dailin with attacks on the US Department of Defense in May and June 2006. iDefense linked the group with many of the 35 zero-day hacker proof-of-concept codes used in attacks with over a period of 90 days during the summer of 2006. They are also known for the remote-network-control programs they offer for download. Wicked Rose announced in a blog post that the group is paid for their work, but the group's sponsor is unknown.

<span class="mw-page-title-main">Chinese espionage in the United States</span>

The United States has often accused the People's Republic of China of attempting to unlawfully acquire U.S. military technology and classified information as well as trade secrets of U.S. companies in order to support China's long-term military and commercial development. Chinese government agencies and affiliated personnel have been accused of using a number of methods to obtain U.S. technology, including espionage, exploitation of commercial entities, and a network of scientific, academic and business contacts. Prominent espionage cases include Larry Wu-tai Chin, Katrina Leung, Gwo-Bao Min, Chi Mak, Peter Lee, and Shujun Wang. The Ministry of State Security (MSS) maintains a bureau dedicated to espionage against the United States, the United States Bureau.

Cyberwarfare by China is the aggregate of cyberattacks attributed to the organs of the People's Republic of China and various related advanced persistent threat (APT) groups.

<span class="mw-page-title-main">Tailored Access Operations</span> Unit of the U.S. National Security Agency

The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.

Attempts, unofficially dubbed the "Crypto Wars", have been made by the United States (US) and allied governments to limit the public's and foreign nations' access to cryptography strong enough to thwart decryption by national intelligence agencies, especially the National Security Agency (NSA).

Cozy Bear is a Russian advanced persistent threat hacker group believed to be associated with Russian foreign intelligence by United States intelligence agencies and those of allied countries. Dutch signals intelligence (AIVD) and American intelligence had been monitoring the group since 2014 and was able to link the hacker group to the Russian foreign intelligence agency (SVR) after compromising security cameras in their office. CrowdStrike and Estonian intelligence reported a tentative link to the Russian domestic/foreign intelligence agency (FSB). Various groups designate it CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452 with a tentative connection to Russian hacker group YTTRIUM. Symantec reported that Cozy Bear had been compromising diplomatic organizations and national governments since at least 2010. Der Spiegel published documents in 2023 purporting to link Russian IT firm NTC Vulkan to Cozy Bear operations.

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kyiv, the capital, off power for one hour and is considered to have been a large-scale test. The Kyiv incident was the second cyberattack on Ukraine's power grid in two years. The first attack occurred on December 23, 2015. Industroyer is the first ever known malware specifically designed to attack electrical grids. At the same time, it is the fourth malware publicly revealed to target industrial control systems, after Stuxnet, Havex, and BlackEnergy.

Double Dragon is a hacking organization with alleged ties to the Chinese Ministry of State Security (MSS). Classified as an advanced persistent threat, the organization was named by the United States Department of Justice in September 2020 in relation to charges brought against five Chinese and two Malaysian nationals for allegedly compromising more than 100 companies around the world.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

On August 27, 2024, The Washington Post reported that two major internet service providers in the United States had been compromised by China. AT&T, Verizon, Lumen Technologies, and T-Mobile were reported to have been affected by the Salt Typhoon advanced persistent threat linked to the China's Ministry of State Security.

The Chinese government has interfered in the 2024 United States elections through propaganda and disinformation campaigns, primarily linked to its Spamouflage influence operation. The efforts come amidst larger foreign interference in the 2024 United States elections.

References

  1. 1 2 3 4 5 "Malpedia: GhostEmperor". Fraunhofer Society . Archived from the original on 2024-10-08. Retrieved 2024-10-08.
  2. Swan, David (2024-12-05). "The Chinese hack that has Australia on high alert". The Sydney Morning Herald . Retrieved 2024-12-05.
  3. Lyons, Jessica (2024-09-25). "China's Salt Typhoon cyber spies are deep inside US ISPs". The Register . Archived from the original on 2024-10-08. Retrieved 2024-10-08.
  4. 1 2 Krouse, Sarah; McMillan, Robert; Volz, Dustin (2024-09-26). "China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack". The Wall Street Journal . Archived from the original on 7 Oct 2024.
  5. 1 2 3 Nakashima, Ellen (6 October 2024). "China hacked major U.S. telecom firms in apparent counterspy operation". The Washington Post . Archived from the original on 7 October 2024. Retrieved 8 October 2024.
  6. 1 2 3 4 Kovacs, Eduard (2024-10-07). "China's Salt Typhoon Hacked AT&T, Verizon: Report". Security Week.
  7. "AT&T, Verizon reportedly hacked to target US govt wiretapping platform". BleepingComputer. Archived from the original on 7 October 2024. Retrieved 8 October 2024.
  8. "GhostEmperor: From ProxyLogon to kernel mode". securelist.com. 30 September 2021. Archived from the original on 1 October 2024. Retrieved 8 October 2024.
  9. "GhostEmperor returns with updated Demodex rootkit" (PDF). www.imda.gov.sg - Infocomm Media Development Authority . Retrieved 8 October 2024.
  10. "ESET Research discovers FamousSparrow APT group spying on hotels, governments and private companies". ESET. ESET Newsroom, WeLiveSecurity. Retrieved 6 December 2024.
  11. 1 2 3 Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal . Archived from the original on 5 Oct 2024.
  12. Krouse, Sarah; Volz, Dustin (November 15, 2024). "T-Mobile Hacked in Massive Chinese Breach of Telecom Networks" . The Wall Street Journal . Retrieved November 15, 2024.
  13. Nakashima, Ellen (October 11, 2024). "White House forms emergency team to deal with China espionage hack". The Washington Post . Archived from the original on November 9, 2024. Retrieved October 12, 2024.
  14. Barrett, Devlin; Swan, Jonathan; Haberman, Maggie (October 25, 2024). "Chinese Hackers Are Said to Have Targeted Phones Used by Trump and Vance". The New York Times . Archived from the original on November 10, 2024. Retrieved October 25, 2024.
  15. Schneier, Bruce. "China Possibly Hacking US "Lawful Access" Backdoor". www.schneier.com - Schneier on Security. Retrieved 8 October 2024.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.