The China-linked cyberespionage group known as Salt Typhoon, also referred to as GhostEmperor and Operator Panda, has been persistently targeting and compromising backbone and edge routers globally since at least 2021. The group’s primary objective is to maintain long-term access to a wide range of networks for intelligence gathering, with a particular focus on government, military, telecom, transportation, and lodging sectors in the United States, Canada, Australia, New Zealand, and the United Kingdom. This widespread and sustained campaign gives Chinese intelligence services the capability to monitor and track the communications and movements of individuals and organizations worldwide, highlighting the global reach and strategic importance of these cyber operations.
Salt Typhoon’s tactics involve exploiting known, rather than zero-day, vulnerabilities in products from major network equipment manufacturers like Cisco, Ivanti, and Palo Alto Networks to gain initial access. Once inside a network, the group employs sophisticated techniques to maintain persistence and evade detection. They tamper with Access Control Lists (ACLs), create hidden tunnels, and leverage multi-hop pivoting tools to move between networks and modify routing. These actions, combined with their ability to mirror network traffic, enable them to not only surveil communications but also gain a deep understanding of network configurations. The group’s reliance on exploiting known flaws suggests a methodical and patient approach to its operations, focusing on leveraging existing security weaknesses rather than developing novel attacks.
To expand their foothold and move laterally within compromised networks, the hackers target critical network components and data. They focus on authentication protocols, router interfaces, and configuration files, often extracting credentials from captured network traffic. The group also actively modifies server configurations to point to their own infrastructure, creates privileged user accounts, and scans for open ports to identify additional entry points. Their operations are designed to be as covert as possible; they actively delete logs and disable logging functions to hide their presence and avoid detection by security teams. This level of operational security demonstrates their expertise and determination to remain undetected for extended periods.
The operations of Salt Typhoon have been linked to several China-based companies that are known to provide cyber products and services to Chinese intelligence. This connection underscores the role of a broader contractor ecosystem that supports and expands the scale of Chinese cyber espionage. Experts note that these contractors are instrumental in everything from building the necessary infrastructure to carrying out the intrusions themselves. This model allows for the rapid evolution and unprecedented scale of these operations, enabling the group to target hundreds of organizations across 80 countries in a single year.
Given the persistent and long-term nature of Salt Typhoon’s access, cybersecurity agencies have issued joint advisories providing specific indicators of compromise (IOCs) and recommendations for threat hunters. These advisories emphasize the need for organizations to not only identify and evict the attackers but also to protect their incident response efforts from being monitored by the threat actors. The group has shown a tendency to compromise administrator devices and accounts to monitor for signs of detection, making it crucial for organizations to secure their threat hunting and response processes. The ongoing threat posed by Salt Typhoon highlights the critical need for organizations to apply patches promptly and implement robust security measures to protect their networks from sophisticated state-sponsored attacks.
Reference: