Recently, reports indicate that a newly discovered advanced persistent threat (APT) known as “Salt Typhoon” has breached the networks of Internet service providers (ISPs) in the United States, with the primary aim of extracting sensitive information and possibly establishing a base for potential disruptive attacks. According to sources familiar with the situation cited by the Wall Street Journal on September 25, Chinese-sponsored state hackers have successfully compromised a few cable and broadband service providers as part of their operation.
While specific details about Salt Typhoon are limited, experts point out that the incursion underscores China’s strategic objectives in dealing with geopolitical circumstances. By gaining access to ISP networks, the threat actors can conduct reconnaissance to identify high-value targets, including individuals working in government agencies, law enforcement, manufacturing firms, military contractors, and Fortune 100 companies. Sean McNee, Vice President of Research and Data at DomainTools, highlights the potential for bad actors to gather information on users’ locations, services accessed, billing details, communication patterns, and more.
Moreover, given China’s territorial ambitions regarding regions like Taiwan, there is likely a military dimension to the campaign. Sean Deuby, Principal Technologist at Semperis, expresses concerns about China’s shift from surveillance-oriented cyber activities to developing offensive capabilities aimed at disrupting critical civilian and military infrastructure in the US. He warns of potential scenarios where China could impede US responses to their actions through various disruptive techniques.
The precedent for such actions is evident in the case of another threat group known as Volt Typhoon, exposed by Microsoft earlier this year for its attempts to infiltrate military bases, critical infrastructure assets, and telecom infrastructure to disrupt operations in the event of a conflict in the South China Sea. Despite denials from the Chinese authorities, the group has continued to expand its operations following its exposure.
The infiltration of ISP networks by Salt Typhoon is part of a broader pattern of Chinese-sponsored cyber campaigns targeting critical infrastructure and regional allies, as highlighted by Microsoft’s ongoing threat intelligence reports. Previous efforts include operations by threat actors like Flax Typhoon and Brass Typhoon (also known as APT41, Earth Baxia, and Wicked Panda) that have targeted entities in Taiwan, government agencies, military installations, and manufacturing facilities in the US and other countries.
To combat these threats, communication service providers need to bolster their defenses against cyber intrusions. Aside from educating employees against phishing attempts and social engineering, Terry Dunlap, Chief Security Strategist at NetRise, emphasizes the importance of securing firmware and supply chain integrity within core network equipment. Best practices developed by global entities like the World Economic Forum advocate for information sharing, collaboration with hardware manufacturers to enhance security standards, and improving routing security measures within ISPs.
Despite these efforts, significant gaps likely remain in the overall cybersecurity posture of many organizations, necessitating a continuous and proactive approach to defending against evolving cyber threats targeting critical infrastructure.