Salt Typhoon is an advanced persistent threat actor operated by China's Ministry of State Security (MSS) which has conducted high profile cyber espionage campaigns, particularly against the United States. The group's operations place an emphasis on counterintelligence targets in the United States and data theft of key corporate intellectual property. The group has infiltrated targets in dozens of other countries on nearly every continent.[1] Former NSA analyst Terry Dunlap has described the group as a "component of China's 100-Year Strategy."[2]
Formation | 2020 |
---|---|
Type | Advanced persistent threat |
Purpose | Cyber espionage, counterintelligence, data exfiltration |
Location | |
Affiliations | Ministry of State Security |
Organization and attribution
editSalt Typhoon is widely understood to be operated by China's Ministry of State Security (MSS), its foreign intelligence service and secret police.[3][4]
According to Trend Micro, the group is a "well-organized group with a clear division of labor" whereby attacks targeting different regions and industries are launched by distinct actors, suggesting the group consists of various teams, "further highlighting the complexity of the group's operations."[5]
Campaigns
edit2024 breach of U.S. Internet service provider networks
editIn late 2024 U.S. officials announced that hackers affiliated with Salt Typhoon had accessed the computer systems of nine U.S.telecommunications companies, later acknowledged to include Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream.[6][7][8] The attack targeted U.S. broadband networks, particularly core network components, including routers manufactured by Cisco, which route large portions of the Internet.[3][4] In October 2024, U.S. officials revealed that the group had compromised internet service provider (ISP) systems used to fulfill CALEA requests used by U.S. law enforcement and intelligence agencies to conduct court-authorized wiretapping.[7]
The hackers were able to access metadata of users calls and text messages, including date and time stamps, source and destination IP addresses, and phone numbers from over a million users; most of which were located in the Washington D.C. metro area. In some cases, the hackers were able to obtain audio recordings of telephone calls made by high profile individuals.[9] Such individuals reportedly included staff of the Kamala Harris 2024 presidential campaign, as well as phones belonging to Donald Trump and JD Vance.[10] According to deputy national security advisor Anne Neuberger, a "large number" of the individuals whose data was directly accessed were "government targets of interest."[9]
In September 2024, reports first emerged that a severe cyberattack had compromised U.S. telecommunications systems. US officials stated that the campaign was likely underway for one to two years prior to its discovery, with several dozen countries compromised in the hack, including those in Europe and the Indo-Pacific.[11] The campaign was reportedly "intended as a Chinese espionage program focused on key government officials [and] key corporate [intellectual property]."[3][12]
Reactions
editAccording to Foreign Policy, the attack has "hardened anti-China consensus" in the U.S. government.[13] Senator Mark Warner, chairman of the U.S. Senate Select Committee on Intelligence, called the intrusion the "worst telecom hack in our nation’s history", describing it as making prior cyberattacks by Russian actors look like "child’s play" by comparison.[14]
Matthew Pines, director of intelligence at SentinelOne, stated that "the Salt Typhoon hacks will be seen as the worst counterintelligence breach in U.S. history" which "gives MSS bread crumbs to trace back to and cauterize strategically critical U.S. sources and methods." He suggested the data breach is worse than the 2015 hack of the U.S. Office of Personnel Management carried out by the MSS' Jiangsu State Security Department.[15]
In retaliation for the attack, the U.S. Department of Commerce announced it would ban the remaining U.S. operations of China Telecom. The Department of Defense placed Chinese media conglomerate Tencent, shipping giant COSCO, battery manufacturer CATL, semiconductor manufacturer ChangXin Memory Technologies, and drone maker Autel Robotics on a blacklist of "Chinese military companies".[16] The designation can disqualify U.S. businesses which transact with listed companies from future U.S. government contracts.[17]
The Chinese Embassy in Washington, D.C. claimed the allegations were all U.S. efforts to "smear and slander" China.[18]
Methodology
editSalt Typhoon reportedly employs a Windows kernel-mode rootkit, Demodex (name given by Kaspersky Lab[19]), to gain remote control[20] over their targeted servers.[21] They demonstrate a high level of sophistication and use anti-forensic and anti-analysis techniques to evade detection.[21]
Targets
editAccording to The New York Times, Salt Typhoon is unique in focusing primarily on counterintelligence targets.[22] In addition to U.S. Internet service providers, the Slovak cybersecurity firm ESET says Salt Typhoon has previously broken into hotels and government agencies worldwide.[23][24]
Tools used
edit- BITSAdmin
- CertUtil
- Cheat Engine driver
- Demodex
- Get-PassHashes.ps1
- Ladon
- Malleable C2
- mimkat_ssp
- NBTscan
- Powercat
- PowerShell
- ProcDump
- PsExec
- PsList
- SMB
- SparrowDoor
- Token.exe
- WinRAR
- WMIExec
Name
editSalt Typhoon is the name assigned by Microsoft and is the one most widely used to describe the group.[23] The group has also variously been called:
- Earth Estrie by Trend Micro[5]
- Ghost Emperor by Kaspersky Lab[23]
See also
editReferences
edit- ^ Swan, David (2024-12-05). "The Chinese hack that has Australia on high alert". The Sydney Morning Herald. Retrieved 2024-12-05.
- ^ Lyons, Jessica (2024-09-25). "China's Salt Typhoon cyber spies are deep inside US ISPs". The Register. Archived from the original on 2024-10-08. Retrieved 2024-10-08.
- ^ a b c Krouse, Sarah; McMillan, Robert; Volz, Dustin (2024-09-26). "China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack". The Wall Street Journal. Archived from the original on 7 Oct 2024.
- ^ a b Nakashima, Ellen (6 October 2024). "China hacked major U.S. telecom firms in apparent counterspy operation". The Washington Post. Archived from the original on 7 October 2024. Retrieved 8 October 2024.
- ^ a b Greig, Jonathan (2024-11-25). "China's Salt Typhoon hackers target telecom firms in Southeast Asia with new malware". Recorded Future. Archived from the original on 2024-11-28. Retrieved 2024-12-31.
- ^ Ahmed, Deborah (2025-01-07). "US Telecom Breaches Widen as 9 Firms Hit by Chinese Salt Typhoon Hackers". Hackread. Retrieved 2025-01-08.
- ^ a b Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal. Archived from the original on 5 Oct 2024.
- ^ Krouse, Sarah; Volz, Dustin (November 15, 2024). "T-Mobile Hacked in Massive Chinese Breach of Telecom Networks". The Wall Street Journal. Retrieved November 15, 2024.
- ^ a b Page, Carly (2025-01-06). "Meet the Chinese 'Typhoon' hackers preparing for war". TechCrunch. Retrieved 2025-01-08.
- ^ Barrett, Devlin; Swan, Jonathan; Haberman, Maggie (October 25, 2024). "Chinese Hackers Are Said to Have Targeted Phones Used by Trump and Vance". The New York Times. Archived from the original on November 10, 2024. Retrieved October 25, 2024.
- ^ Volz, Dustin (December 4, 2024). "Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says". The Wall Street Journal. Archived from the original on December 4, 2024. Retrieved December 5, 2024.
- ^ Tucker, Eric (2024-12-27). "A 9th telecoms firm has been hit by a massive Chinese espionage campaign, the White House says". Associated Press. Retrieved 2024-12-27.
- ^ Palmer, James (2025-01-09). "Salt Typhoon Stirs Panic in Washington". Foreign Policy. Retrieved 2025-01-08.
- ^ Nakashima, Ellen (November 21, 2024). "Top senator calls Salt Typhoon 'worst telecom hack in our nation's history'". The Washington Post. Retrieved December 31, 2024.
- ^ Pines, Matthew [@matthew_pines] (2024-12-28). "I think the Salt Typhoon hacks will be seen as the worst counterintelligence breach in US history. Though not reported yet, seems likely that the MSS compromised the FISA "selectors" in US telcos. The fallout from this is unfathomable. FBI NSD damage assessment is max pain rn" (Tweet). Retrieved 2024-12-30 – via Twitter.
- ^ Sanger, David E. (2024-12-16). "Biden Administration Takes First Step to Retaliate Against China Over Hack". The New York Times. Archived from the original on 2024-12-27. Retrieved 2024-12-31.
- ^ Stevenson, Alexandra (2025-01-07). "U.S. Adds Tencent to Chinese Military Companies Blacklist". The New York Times. ISSN 0362-4331. Retrieved 2025-01-08.
- ^ Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal. Archived from the original on 5 Oct 2024.
- ^ "GhostEmperor: From ProxyLogon to kernel mode". securelist.com. 30 September 2021. Archived from the original on 1 October 2024. Retrieved 8 October 2024.
- ^ "GhostEmperor returns with updated Demodex rootkit" (PDF). www.imda.gov.sg - Infocomm Media Development Authority. Retrieved 8 October 2024.
- ^ a b "Malpedia: GhostEmperor". Fraunhofer Society. Archived from the original on 2024-10-08. Retrieved 2024-10-08.
- ^ Barrett, Devlin (2024-10-26). "What to Know About the Chinese Hackers Who Targeted the 2024 Campaigns". Archived from the original on 2024-12-21. Retrieved 2024-12-31.
- ^ a b c d Kovacs, Eduard (2024-10-07). "China's Salt Typhoon Hacked AT&T, Verizon: Report". Security Week.
- ^ "ESET Research discovers FamousSparrow APT group spying on hotels, governments and private companies". ESET. ESET Newsroom, WeLiveSecurity. Archived from the original on 28 November 2024. Retrieved 6 December 2024.
- ^ "Salt Typhoon". FortiGuard. 2024-12-20.
- ^ "AT&T, Verizon reportedly hacked to target US govt wiretapping platform". BleepingComputer. Archived from the original on 7 October 2024. Retrieved 8 October 2024.