Salt Typhoon, a notorious Chinese threat actor, has been engaging in espionage activities targeting high-value government and telecommunication organizations for several years. Recently, they have introduced a new backdoor malware known as GhostSpider. This group, also referred to as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is considered one of China’s most advanced persistent threats (APTs) and has been active since 2023. Salt Typhoon has successfully infiltrated over 20 organizations across the globe, with some breaches going undetected for extended periods. Their most recent targets include US telecommunications companies like T-Mobile USA and ISPs in North America.
The arsenal of malware utilized by Salt Typhoon is extensive and versatile. According to Trend Micro, the group has access to a range of powerful tools, including Masol RAT, SnappyBee (Deed RAT), and the newly discovered GhostSpider backdoor. GhostSpider is highly modular and can be customized for specific attack scenarios, making it challenging for cybersecurity experts to detect and respond to. Additionally, Salt Typhoon is believed to possess a rootkit named Demodex and may have deployed Inc ransomware in some operations.
The complexity and diversity of Salt Typhoon’s malware are attributed to the structured and specialized nature of the organization. The group is organized into distinct teams responsible for managing different backdoors and implementing various tactics, techniques, and procedures (TTPs) across different regions and industries. This organized approach makes it difficult to track and counter their activities, as they excel in gaining access, maintaining persistence, and covering their tracks effectively.
Earth Estries, Salt Typhoon’s primary APT, has been conducting espionage operations since 2020, but their tactics evolved significantly around 2022. Rather than relying heavily on phishing campaigns to target employees, the group shifted towards exploiting n-day vulnerabilities in Internet-facing devices to gain access to their targets. This strategy allows them to exploit newly disclosed vulnerabilities that organizations may not have patched yet, including vulnerabilities in systems such as Fortinet Enterprise Management Server (EMS), Sophos Firewalls, and Microsoft Exchange (ProxyLogon).
Salt Typhoon’s operations have spanned multiple continents, targeting organizations in diverse sectors such as telecommunications, technology, consulting, chemical, transportation, and nonprofit organizations. While government agencies are a primary focus, other entities like NGOs also serve as potential targets or launching pads for more significant cyberattacks. In 2023, researchers observed Salt Typhoon compromising consulting firms and NGOs associated with the US government and military to expedite breaches of more critical targets.
Overall, Salt Typhoon’s sophisticated tactics, advanced malware arsenal, and strategic approach to cyberespionage make them a formidable and elusive adversary for cybersecurity experts and organizations worldwide. Efforts to detect, counter, and mitigate the threats posed by this APT require vigilance, collaboration, and advanced cybersecurity measures to safeguard critical infrastructure and sensitive information.