DZ
DefZone.Net

Kien thuc cong nghe & giai tri

Wiki Article

Salt Typhoon

Nguồn dữ liệu từ Wikipedia, hiển thị bởi DefZone.Net

Xem trên WikipediaBài ngẫu nhiên khác
Salt Typhoon
Formationc. 2020; 6 years ago (2020)
TypeAdvanced persistent threat
PurposeCyber espionage, counterintelligence, data exfiltration
Location
Parent organization
Ministry of State Security
AffiliationsSichuan Juxinhe Network Technology Co. Ltd.
Beijing Huanyu Tianqiong Information Technology Co., Ltd.
Sichuan Zhixin Ruijie Network Technology Co., Ltd.

Salt Typhoon is an advanced persistent threat actor believed to be operated by China's Ministry of State Security (MSS) which has conducted high-profile cyber espionage campaigns, particularly against the United States. The group's operations place an emphasis on counterintelligence targets in the United States and data theft of key corporate intellectual property. The group has infiltrated over 200 targets in over 80 countries.[1] Former NSA analyst Terry Dunlap has described the group as a "component of China's 100 year strategy."[2]

Organization and attribution

[edit]

Salt Typhoon is widely understood to be operated by China's Ministry of State Security (MSS), its foreign intelligence service and secret police.[3][4] The Chinese embassy in New Zealand denied all allegations, saying it was "unfounded and irresponsible smears and slanders".[5]

According to Trend Micro, the group is a "well-organized group with a clear division of labor" whereby attacks targeting different regions and industries are launched by distinct actors, suggesting the group consists of various teams, "further highlighting the complexity of the group's operations."[6][7] The cyberattacks were reported to have commenced since at least 2023.[8]

History

[edit]
Further information: Chinese interference in the 2024 United States elections

2023 to 2024: Telecommunication Hacks

[edit]
Further information: 2024 global telecommunications hack

In September 2024, reports first emerged that a severe cyberattack had compromised U.S. telecommunications systems. US officials stated that the campaign was likely underway for one to two years prior to its discovery, with several dozen countries compromised in the hack, including those in Europe and the Indo-Pacific.[9] The campaign was reportedly "intended as a Chinese espionage program focused on key government officials [and] key corporate [intellectual property]."[3][10]

In late 2024 U.S. officials announced that hackers affiliated with Salt Typhoon had accessed the computer systems of nine U.S. telecommunications companies, later acknowledged to include Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream.[11][12][13] The attack targeted U.S. broadband networks, particularly core network components, including routers manufactured by Cisco, which route large portions of the Internet.[3][4] In October 2024, U.S. officials revealed that the group had compromised internet service provider (ISP) systems used to fulfill CALEA requests used by U.S. law enforcement and intelligence agencies to conduct court-authorized wiretapping.[12]

The hackers were able to access metadata of users' calls and text messages, including date and time stamps, source and destination IP addresses, and phone numbers from over a million users; most of which were located in the Washington D.C. metro area. In some cases, the hackers were able to obtain audio recordings of telephone calls made by high-profile individuals.[14] Such individuals reportedly included staff of the Kamala Harris 2024 presidential campaign, as well as phones belonging to Donald Trump and JD Vance.[15] According to deputy national security advisor Anne Neuberger, a "large number" of the individuals whose data was directly accessed were "government targets of interest."[14]

In March 2025, the United States House Committee on Homeland Security requested that the Department of Homeland Security (DHS) turn over documents on the federal government's response to the hacking.[16]

The second Trump administration fired all members of the Cyber Safety Review Board before it could complete its investigation of the intrusion.[17] In April 2025, the Federal Bureau of Investigation (FBI) announced a US$10 million bounty for information on individuals associated with Salt Typhoon.[18]

2024 to 2025: National Guard and Congressional committees

[edit]

On June 11, 2025, the DHS published a report entitled Salt Typhoon: Data Theft Likely Signals Expanded Targeting. In the report, the agency describes how the threat actor group compromised the network of an unnamed US state's Army National Guard.[19]

In August 2025, the FBI stated that Salt Typhoon has hacked at least 200 companies across 80 countries.[1]

In December 2025, intrusions were detected in several United States House of Representatives committees and later attributed to Salt Typhoon.[20]

Australia

[edit]

In November 2025, Australian Security Intelligence Organisation director-general Mike Burgess said hackers linked to the Chinese government and military had attempted to access Australia's critical infrastructure, including telecommunications networks. He identified the groups Salt Typhoon and Volt Typhoon, which also infiltrated U.S. systems for espionage and potential sabotage, and warned that similar probing had occurred in Australia.[21][22]

Targets

[edit]

According to The New York Times, Salt Typhoon is unique in focusing primarily on counterintelligence targets.[23] In addition to U.S. Internet service providers, the Slovak cybersecurity firm ESET says Salt Typhoon has previously broken into hotels and government agencies worldwide.[24][25] An unnamed Canadian telecom company was breached in February 2025.[26] In June 2025, Viasat (a US telecom) was named as a victim of Salt Typhoon.[27]

Tactics, techniques, and procedures

[edit]

Salt Typhoon reportedly employs a Windows kernel-mode rootkit, Demodex (name given by Kaspersky Lab),[28] to gain remote control[29] over their targeted servers.[30] They demonstrate a high level of sophistication and use anti-forensic and anti-analysis techniques to evade detection.[30]

Initial access

[edit]

To gain initial access into their targets, the group has been observed exploiting known vulnerabilities in firewalls, routers, and VPN products:[31][32]

CVE Description
CVE-2024-21887 Ivanti Connect Secure and Ivanti Policy Secure web-component command injection vulnerability
CVE-2024-3400 Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection.
CVE-2023-20273 Cisco Internetworking Operating System (IOS) XE software web management user interface post-authentication command injection/privilege escalation
CVE-2023-20198 Cisco IOS XE web user interface authentication bypass
CVE-2018-0171 Cisco IOS and IOS XE smart install remote code execution
CVE-2021-26855 Microsoft Exchange Server Server-Side Request Forgery Vulnerability (ProxyLogon)
CVE-2022-3236 Sophos Firewall Code Injection Vulnerability
CVE-2023-48788 FortiClient Enterprise Management Server (FortiClientEMS) SQL Injection Vulnerability
CVE-2023-46805 Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability
CVE-2025-5777 Citrix NetScaler Gateway Unauthenticated Memory Read Access[33]

Persistence

[edit]

Salt Typhoon employs many techniques to maintain access to their targets and avoid detection.[31]

  • Modifying access-control lists (ACLs) to add IP addresses.
  • Exposing services such as SSH, RDP, or FTP to facilitate remote access or data exfiltration. The services are run on both standard and non-standard ports to help evade detection. The group has also been observed adding keys to existing SSH services.
  • Creating tunnels over protocols, such as Generic Routing Encapsulation (GRE) or IPsec, on network devices.
  • Running commands inside of Linux containers on Cisco networking devices via Guest Shell. This allows the threat actor to stage tools, process data, and move laterally through the network undetected as the activities inside the container are not generally monitored.
  • Using open source multi-hop pivoting tools to relay commands from command and control servers

Affiliations

[edit]

Salt Typhoon is aided by a number of companies that work closely with Chinese intelligence services to provide cyber services, including:[31]

  • Sichuan Juxinhe Network Technology Co. Ltd.
  • Beijing Huanyu Tianqiong Information Technology Co., Ltd.
  • Sichuan Zhixin Ruijie Network Technology Co., Ltd.

On January 17, 2025, the U.S. Department of the Treasury announced sanctions against Sichuan Juxinhe Network Technology Co., LTD. The statement accused Sichuan Juxinhe of having direct involvement with Salt Typhoon and that the group was responsible for breaching multiple U.S. telecommunication and internet service provider companies.[34]

Name

[edit]

Salt Typhoon is the name assigned by Microsoft and is the one most widely used to describe the group.[24] The group has also variously been called:

See also

[edit]

References

[edit]
  1. ^ a b Collier, Kevin (2025-08-27). "China used three private companies to hack global telecoms, U.S. says". NBC News. Retrieved 2025-08-27.
  2. ^ Lyons, Jessica (2024-09-25). "China's Salt Typhoon cyber spies are deep inside US ISPs". The Register. Archived from the original on 2024-10-08. Retrieved 2024-10-08.
  3. ^ a b c Krouse, Sarah; McMillan, Robert; Volz, Dustin (2024-09-26). "China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack". The Wall Street Journal. Archived from the original on 7 October 2024.
  4. ^ a b Nakashima, Ellen (6 October 2024). "China hacked major U.S. telecom firms in apparent counterspy operation". The Washington Post. Archived from the original on 7 October 2024. Retrieved 8 October 2024.
  5. ^ "Chinese Embassy rejects US accusations of 'Salt Typhoon' hacking operation". RNZ. 2024-12-08. Retrieved 2025-01-30.
  6. ^ a b Greig, Jonathan (2024-11-25). "China's Salt Typhoon hackers target telecom firms in Southeast Asia with new malware". Recorded Future. Archived from the original on 2024-11-28. Retrieved 2024-12-31.
  7. ^ "Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions". Trend Micro. 2024-11-25. Retrieved 2025-02-04.
  8. ^ Bleiberg, Jake (June 4, 2025). "Chinese Hacked US Telecom a Year Before Known Wireless Breaches". Bloomberg News. Retrieved June 14, 2025.
  9. ^ Volz, Dustin (December 4, 2024). "Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says". The Wall Street Journal. Archived from the original on December 4, 2024. Retrieved December 5, 2024.
  10. ^ Tucker, Eric (2024-12-27). "A 9th telecoms firm has been hit by a massive Chinese espionage campaign, the White House says". Associated Press. Retrieved 2024-12-27.
  11. ^ Ahmed, Deborah (2025-01-07). "US Telecom Breaches Widen as 9 Firms Hit by Chinese Salt Typhoon Hackers". Hackread. Retrieved 2025-01-08.
  12. ^ a b Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal. Archived from the original on 5 October 2024.
  13. ^ Krouse, Sarah; Volz, Dustin (November 15, 2024). "T-Mobile Hacked in Massive Chinese Breach of Telecom Networks". The Wall Street Journal. Retrieved November 15, 2024.
  14. ^ a b Page, Carly (2025-01-06). "Meet the Chinese 'Typhoon' hackers preparing for war". TechCrunch. Retrieved 2025-01-08.
  15. ^ Barrett, Devlin; Swan, Jonathan; Haberman, Maggie (October 25, 2024). "Chinese Hackers Are Said to Have Targeted Phones Used by Trump and Vance". The New York Times. Archived from the original on November 10, 2024. Retrieved October 25, 2024.
  16. ^ "US House committee seeks record on Chinese telecom hacking". Reuters. March 17, 2025. Retrieved March 17, 2025.
  17. ^ Sanger, David E.; Corasaniti, Nick (2025-04-05). "Trump Weakens U.S. Cyberdefenses at a Moment of Rising Danger". The New York Times. ISSN 0362-4331. Retrieved 2025-04-27.
  18. ^ Goodin, Dan (2025-04-25). "FBI offers $10 million for information about Salt Typhoon members". Ars Technica. Retrieved 2025-04-27.
  19. ^ Collier, Kevin (2025-07-15). "National Guard hacked by Chinese 'Salt Typhoon' campaign for nearly a year, DHS memo says". NBC News. Retrieved 2025-07-20.
  20. ^ Sevastopulo, Demetri (7 January 2026). "China hacked email systems of US congressional committee staff". Financial Times. Archived from the original on 8 January 2026. Retrieved 7 January 2026.
  21. ^ Belot, Henry (2025-11-11). "Asio accuses Chinese hackers of seeking access to Australia's critical infrastructure". The Guardian. ISSN 0261-3077. Retrieved 2025-11-12.
  22. ^ Needham, Kirsty (2025-11-12). "Australia spy chief says Chinese hackers probing telecommunications, critical infrastructure". Reuters. Retrieved 2025-11-12.
  23. ^ Barrett, Devlin (2024-10-26). "What to Know About the Chinese Hackers Who Targeted the 2024 Campaigns". The New York Times. Archived from the original on 2024-12-21. Retrieved 2024-12-31.
  24. ^ a b c d Kovacs, Eduard (2024-10-07). "China's Salt Typhoon Hacked AT&T, Verizon: Report". Security Week.
  25. ^ "ESET Research discovers FamousSparrow APT group spying on hotels, governments and private companies". ESET. ESET Newsroom, WeLiveSecurity. Archived from the original on 28 November 2024. Retrieved 6 December 2024.
  26. ^ Goodin, Dan (2025-06-23). "Canadian telecom hacked by suspected China state group". Ars Technica. Retrieved 2025-06-24.
  27. ^ Tarabay, Jamie (June 17, 2025). "Viasat Identified as Victim in Sweeping Phone Hack Tied to China". Bloomberg News. Retrieved June 18, 2025.
  28. ^ "GhostEmperor: From ProxyLogon to kernel mode". securelist.com. 30 September 2021. Archived from the original on 1 October 2024. Retrieved 8 October 2024.
  29. ^ "GhostEmperor returns with updated Demodex rootkit" (PDF). www.imda.gov.sg - Infocomm Media Development Authority. Retrieved 8 October 2024.
  30. ^ a b "Malpedia: GhostEmperor". Fraunhofer Society. Archived from the original on 2024-10-08. Retrieved 2024-10-08.
  31. ^ a b c Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System (Report). Fort Meade, MD. Aug 27, 2025. Retrieved September 3, 2025.
  32. ^ Caveza, Scott (Jan 23, 2025). "Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor". www.tenable.com. Tenable.
  33. ^ Jones, Nathaniel; Lister, Sam (Oct 20, 2025). "Salty Much: Darktrace's view on a recent Salt Typhoon intrusion". Darktrace. Retrieved Nov 11, 2025.
  34. ^ "Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise" (Press release). U.S. Department of the Treasury. Jan 17, 2025. Retrieved Sep 5, 2025.
  35. ^ "AT&T, Verizon reportedly hacked to target US govt wiretapping platform". BleepingComputer. Archived from the original on 7 October 2024. Retrieved 8 October 2024.