The extensive reach and sophisticated tactics of the China-linked cyber espionage group known as Salt Typhoon (also tracked as Earth Estries) have been unveiled in a recent report by researchers from Trend Micro. This group, which gained notoriety for hacking thousands of devices at US telecom firms, has also targeted over 20 organizations globally. Their targets span various sectors, including technology, consulting, chemical and transportation industries, government agencies, and NGOs, especially since 2023. Affected countries include the US, Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, and Vietnam. This series of exploits has made Salt Typhoon one of the most aggressive Chinese advanced persistent threat (APT) groups active today.
Salt Typhoon has been active since 2020, focusing its efforts on prolonged attacks against governments and internet service providers. In mid-2022, the group escalated its targets to include government service providers and telecom firms. By 2023, Salt Typhoon had expanded its attacks to consulting firms and NGOs associated with the US federal government and military. Notably, these intrusions have targeted not only the databases and cloud servers of telecom firms but their critical supply chains as well. This is illustrated by the implantation of the Demodex rootkit on systems used by a significant regional telecom contractor.
Salt Typhoon’s Tactics and Techniques
Researchers have observed that Salt Typhoon typically exploits vulnerabilities in public-facing servers for initial access. These include vulnerabilities in Ivanti Connect Secure, Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange servers. For example, Ivanti Connect Secure vulnerabilities (CVE-2023-46805 and CVE-2024-21887) and Fortinet FortiClient EMS (CVE-2023-48788) are among the most exploited. Additionally, they leverage vulnerabilities in Sophos Firewall (CVE-2022-3236) and in Microsoft Exchange servers (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). Once access is gained, the group harnesses “living-off-the-land” techniques, employing legitimate software tools such as WMIC.exe and PsExec to move laterally across networks undetected.
The diversity of malware deployed by Salt Typhoon is impressive. They utilize the SnappyBee (Deed RAT) backdoor, the Demodex rootkit, and a recently identified backdoor called GhostSpider. GhostSpider is particularly notable because it can load different modules based on the attackers’ specific objectives, thus allowing for a wide range of exploitation activities. The overarching trend indicates that Salt Typhoon’s operations are expansive and adaptable, targeting a broad spectrum of industries and employing sophisticated methods to remain undetected while conducting long-term espionage. Their strategies reinforce the evolving challenge of cybersecurity in a tech-reliant modern world.
Global Impact and Potential Connections
Despite the detailed findings, Trend Micro acknowledges that more evidence is needed to conclusively identify proprietary backdoors specifically attributed to Earth Estries. However, the tactics, techniques, and procedures (TTPs) observed bear a striking resemblance to those used by Salt Typhoon, thereby hinting at possible connections. There is insufficient evidence to definitively link Earth Estries to recent attacks against major US telcos like Verizon, AT&T, and Lumen, but the similarities in methodology underscore the influence of Salt Typhoon’s blueprint on current cybersecurity challenges.
Salt Typhoon’s infiltration techniques and subsequent movements through respected and critical networks have ramifications that extend well beyond the immediate targets. Global security frameworks need meticulous analysis and adaptability to predict and combat such threats. The manipulation of legitimate software tools and the sophisticated deployment of malware show an advanced understanding of their targets’ internal structures and defense mechanisms. Continuous adaptation and advancements in cybersecurity protocols are essential in overcoming the perpetual evolution of tactics displayed by adept groups like Salt Typhoon.
Long-Term Threat and Ongoing Vigilance
Recent findings by Trend Micro researchers have exposed the far-reaching and advanced techniques used by the China-affiliated cyber espionage group, Salt Typhoon (also tracked as Earth Estries). Known for breaching thousands of devices at US telecom companies, this group has extended its attacks to over 20 global organizations across diverse sectors including technology, consulting, chemical, transportation, government agencies, and NGOs, particularly from 2023 onward. Countries impacted range from the US, Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, to the Philippines, South Africa, Taiwan, Thailand, and Vietnam. This set of attacks has cemented Salt Typhoon’s reputation as one of the most aggressive Chinese APT groups currently active.
Active since 2020, Salt Typhoon has concentrated on sustained attacks against governments and internet service providers. By mid-2022, their targets expanded to encompass government service providers and telecom firms. In 2023,
