Jump to content

Salt Typhoon

From Wikipedia, the free encyclopedia
Salt Typhoon
Formation2020; 4 years ago (2020)
TypeAdvanced persistent threat
PurposeCyberwarfare
Location
AffiliationsChinese government

Salt Typhoon (also known as GhostEmperor[1], FamousSparrow[1], King of world or UNC2286[1]), is an advanced persistent threat actor that is reported to be operated by the Chinese government to conduct cyberespionage campaigns against targets in North America and Southeast Asia. Active since 2020, the group engages in widespread data theft, particularly capturing network traffic. Former NSA analyst Terry Dunlap has called the group "another component of China's 100-Year Strategy."[2] According to former CISA director Chris Krebs and other U.S. officials, the group is affiliated with China's Ministry of State Security.[3][4]

Name

[edit]

King of world is the name given by Kaspersky Lab.[5]

FamousSparrow is the name given by ESET.[5]

Salt Typhoon is the name given by Microsoft.[5]

UNC2286 is the name given by Mandiant, now part of Google Cloud.[6]

Methodology

[edit]

Salt Typhoon reportedly employs a Windows kernel-mode rootkit, Demodex (name given by Kaspersky Lab[7]) to gain remote control[8] over their targeted servers.[1] They demonstrate a high level of sophistication and use anti-forensic and anti-analysis techniques to evade detection.[1]

Targets

[edit]

In addition to US internet service providers, the Slovak cybersecurity firm ESET says Salt Typhoon has previously broken into hotels and government agencies worldwide.[5]

Notable campaigns

[edit]

September 2024 breach of US internet service provider networks

[edit]

In September 2024, The Wall Street Journal reported that "in recent months" Salt Typhoon had hacked into US broadband networks, particularly core network components, including routers manufactured by Cisco which route large portions of the internet.[3]

October 2024 breach of US ISP wiretap systems

[edit]

"Hackers apparently exfiltrated some data from Verizon networks by reconfiguring Cisco routers"[4] - The Washington Post

In October 2024, Salt Typhoon was discovered to have exploited backdoors in US internet service provider networks used by law enforcement agencies to facilitate court-authorized wiretapping.[9] Affected networks included those of AT&T, Verizon, Lumen Technologies, and T-Mobile.[9][10] The Chinese Embassy in Washington, D.C. denied the allegations.[9]

"There are indications that China’s foreign spy service, the Ministry of State Security, which has long targeted the United States for intelligence, is involved in the breach. Officials internally are referring to it as having been carried out by an arm of the MSS known as Salt Typhoon, a moniker given to the group by Microsoft, which monitors Chinese hacking activity."[4] - The Washington Post

In October 2024, The Washington Post reported that the U.S. federal government formed a multi-agency team to address the hack.[11] The same month, The New York Times reported that Salt Typhoon attempted to and may have gained access to the phones of staff of the Kamala Harris 2024 presidential campaign as well as those of Donald Trump and JD Vance.[12]

Reception

[edit]

"... implies that the attack wasn't against the broadband providers directly, but against one of the intermediary companies that sit between the government CALEA requests and the broadband providers....And here is one more example of a backdoor access mechanism being targeted by the “wrong” eavesdroppers."[13] - Bruce Schneier

See also

[edit]

References

[edit]
  1. ^ a b c d e "Malpedia: GhostEmperor". Fraunhofer Society. Archived from the original on 2024-10-08. Retrieved 2024-10-08.
  2. ^ Lyons, Jessica (2024-09-25). "China's Salt Typhoon cyber spies are deep inside US ISPs". The Register. Archived from the original on 2024-10-08. Retrieved 2024-10-08.
  3. ^ a b Krouse, Sarah; McMillan, Robert; Volz, Dustin (2024-09-26). "China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack". The Wall Street Journal. Archived from the original on 7 Oct 2024.
  4. ^ a b c Nakashima, Ellen (6 October 2024). "China hacked major U.S. telecom firms in apparent counterspy operation". The Washington Post. Archived from the original on 7 October 2024. Retrieved 8 October 2024.
  5. ^ a b c d Kovacs, Eduard (2024-10-07). "China's Salt Typhoon Hacked AT&T, Verizon: Report". Security Week.
  6. ^ "AT&T, Verizon reportedly hacked to target US govt wiretapping platform". BleepingComputer. Archived from the original on 7 October 2024. Retrieved 8 October 2024.
  7. ^ "GhostEmperor: From ProxyLogon to kernel mode". securelist.com. 30 September 2021. Archived from the original on 1 October 2024. Retrieved 8 October 2024.
  8. ^ "GhostEmperor returns with updated Demodex rootkit" (PDF). www.imda.gov.sg - Infocomm Media Development Authority. Retrieved 8 October 2024.
  9. ^ a b c Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal. Archived from the original on 5 Oct 2024.
  10. ^ Krouse, Sarah; Volz, Dustin (November 15, 2024). "T-Mobile Hacked in Massive Chinese Breach of Telecom Networks". The Wall Street Journal. Retrieved November 15, 2024.
  11. ^ Nakashima, Ellen (October 11, 2024). "White House forms emergency team to deal with China espionage hack". The Washington Post. Archived from the original on November 9, 2024. Retrieved October 12, 2024.
  12. ^ Barrett, Devlin; Swan, Jonathan; Haberman, Maggie (October 25, 2024). "Chinese Hackers Are Said to Have Targeted Phones Used by Trump and Vance". The New York Times. Archived from the original on November 10, 2024. Retrieved October 25, 2024.
  13. ^ Schneier, Bruce. "China Possibly Hacking US "Lawful Access" Backdoor". www.schneier.com - Schneier on Security. Retrieved 8 October 2024.