Overview
Salt Typhoon is considered an advanced persistent threat (APT) actor, reportedly operated by the Chinese government.
Their activities focus on cyberespionage, with a particular emphasis on widespread data theft, including the capture of network traffic.
The group’s operations have been linked to the Ministry of State Security (MSS), China’s foreign intelligence service. Former NSA analyst Terry Dunlap has described Salt Typhoon as “another component of China’s 100-Year Strategy,” highlighting the long-term strategic implications of their actions.
Known Aliases
GhostEmperor, FamousSparrow, King of world, UNC2286
Country of Origin
China
Most Recent Attacks of Salt Typhoon
- September 2024: Breach of US internet service provider (ISP) networks, targeting core network components including Cisco routers. This attack allowed access to a significant portion of internet traffic.
- October 2024: Exploitation of backdoors in US ISP networks used for law enforcement wiretapping. This compromised networks belonging to AT&T, Verizon, Lumen Technologies, and T-Mobile, potentially granting access to sensitive communications data. Further reports indicate attempts to access the phones of staff from the Kamala Harris 2024 presidential campaign, as well as those of Donald Trump and JD Vance.
Known High Profile Notable Attacks Victims of Salt Typhoon
- US Internet Service Providers (ISPs): Multiple major US ISPs were compromised, impacting both the general public’s internet access and law enforcement wiretap systems. The scale of this attack is significant, affecting core network infrastructure.
- US Government Agencies: While not explicitly named, the October 2024 attack on wiretap systems indicates a compromise of government agencies relying on these networks for surveillance.
- Political Campaigns: Attempts were made to access the phones of staff associated with the Kamala Harris, Donald Trump, and JD Vance campaigns. The success of these attempts remains unclear.
- Hotels and Government Agencies (Worldwide): Previous attacks, prior to the September and October 2024 incidents, targeted hotels and government agencies globally.
Common Methods of Infiltration Used by Salt Typhoon
- Windows Kernel-Mode Rootkit (Demodex): Salt Typhoon utilizes a sophisticated Windows kernel-mode rootkit, named Demodex by Kaspersky Lab, to gain remote control over targeted servers. This rootkit allows for persistent access and evasion of detection.
- Anti-forensic and Anti-analysis Techniques: The group employs advanced techniques to hinder forensic investigation and analysis of their activities, making attribution and remediation challenging.