Cyber Roundup

Share this post

Cyber Roundup
Cyber Roundup
QUICKLOOK: Salt Typhoon: China's Silent Infiltration of U.S. Internet Providers
Copy link
Facebook
Email
Notes
More

QUICKLOOK: Salt Typhoon: China's Silent Infiltration of U.S. Internet Providers

Following Volt and Flax, Salt Typhoon Marks China’s Expanding Cyber Capabilities in Targeting U.S. Service Providers

Bob Bragg
Sep 26, 2024
2

Share this post

Cyber Roundup
Cyber Roundup
QUICKLOOK: Salt Typhoon: China's Silent Infiltration of U.S. Internet Providers
Copy link
Facebook
Email
Notes
More
Share

BLUF:

The Salt Typhoon campaign, a Chinese state-sponsored cyberattack, has infiltrated U.S. ISPs with the intent of gathering sensitive intelligence and potentially preparing for future disruptive attacks. This breach, which could affect critical infrastructure, is part of China’s broader strategy involving similar APT groups, and it highlights the pressing need for enhanced cybersecurity defenses to protect U.S. national security.

Abstract:

Salt Typhoon, a Chinese state-sponsored advanced persistent threat (APT), has targeted multiple U.S. internet service providers (ISPs) in 2024. The attack aims to steal sensitive data and establish a foothold for future disruptive cyberattacks. This report outlines Salt Typhoon's capabilities, such as its use of advanced rootkits and memory-based malware, and compares its activities to related Chinese APT groups like Flax Typhoon and Volt Typhoon. The infiltration of U.S. ISP networks poses a significant risk to critical infrastructure, potentially impacting communications, government agencies, and private corporations. The strategic implications of these activities, particularly concerning China's broader geopolitical ambitions, are also discussed. The report concludes with recommendations for bolstering defenses against such sophisticated cyber threats.

Introduction:

The increasing sophistication of Chinese cyber operations poses an escalating threat to U.S. critical infrastructure. In 2024, a Chinese state-sponsored APT group, named Salt Typhoon, launched an extensive cyber espionage campaign targeting U.S. internet service providers (ISPs). This campaign represents a new phase in China's long-term strategy of pre-positioning cyber assets within critical infrastructure, aimed at both gathering intelligence and preparing for future disruptive operations. Salt Typhoon’s use of advanced tools, including kernel-mode rootkits and in-memory malware, reflects the group’s high level of sophistication and long-term persistence. This report will examine Salt Typhoon’s tactics, capabilities, and potential impact on U.S. national security, as well as its role in China’s broader cyber operations landscape. Furthermore, it will provide a comparative analysis of other Chinese APT groups, such as Flax Typhoon and Volt Typhoon, highlighting the strategic threats these groups pose. Finally, the report will offer recommendations to defend against these persistent cyber threats.

Salt Typhoon: Targeting Core Internet Infrastructure

The Salt Typhoon operation, discovered in 2024, focuses on penetrating U.S. broadband and cable providers. These attacks form part of a longer-term strategy aimed at embedding within critical infrastructure.

Key Aspects:

  1. Target: U.S. ISPs, particularly those managing critical internet infrastructure.

  2. Scope: Salt Typhoon has successfully breached several ISPs, potentially compromising sensitive data and Cisco Systems routers, which route significant portions of U.S. internet traffic.

  3. Attribution: Microsoft and security researchers have attributed this campaign to Salt Typhoon, also known as FamousSparrow and GhostEmperor.

  4. Objective: The primary goal is espionage, though the possibility of future disruptive cyberattacks looms.

  5. Strategic Implications: By accessing ISP networks, Salt Typhoon threatens the backbone of U.S. internet infrastructure, posing risks to a range of sectors, including military, government, and Fortune 100 companies.

Salt Typhoon’s Capabilities and Tactics

Salt Typhoon, also known as GhostEmperor and FamousSparrow, demonstrates a high level of sophistication in its cyber operations, employing various advanced tactics and tools:

  • Advanced Rootkits: The group deploys a kernel-mode rootkit named Demodex, which conceals malware artifacts, rendering detection difficult by traditional security solutions.

  • Evasion Techniques: Salt Typhoon uses a multi-stage malware framework that ensures persistent and remote access to compromised networks.

  • Exploitation of Vulnerabilities: The group frequently exploits vulnerabilities in widely-used software such as Apache, Microsoft Exchange, and Oracle, often leveraging ProxyLogon vulnerabilities to gain initial access.

  • Living-off-the-Land Tactics: Salt Typhoon uses legitimate system utilities like WMI and PsExec to move laterally within compromised networks, minimizing its footprint.

  • Kernel-Mode Access: By bypassing Windows Driver Signature Enforcement (WDSE), Salt Typhoon is able to run malicious code at the kernel level, using legitimate signed drivers.

  • In-Memory Execution: Their malware operates primarily in memory, making detection and analysis significantly more challenging.

Comparative Analysis of Chinese APT Groups

Salt Typhoon is part of a broader pattern of Chinese cyber operations, including the activities of Flax Typhoon, Volt Typhoon, and Brass Typhoon (APT41). Here's how they compare:

Flax Typhoon:

  • Tactics: Utilizes a 260,000-device Mirai-based botnet targeting U.S. critical infrastructure, academic institutions, and government.

  • Focus: Primarily espionage and long-term surveillance.

  • Tools: Heavy reliance on IoT vulnerabilities to gain and maintain access.

Volt Typhoon:

  • Tactics: Focuses on infiltrating U.S. military bases and critical infrastructure with the objective of preparing for destructive cyberattacks in the event of a geopolitical conflict, especially regarding Taiwan.

  • Focus: Unlike Salt Typhoon, Volt Typhoon is more focused on disruption than espionage, pre-positioning itself to cause outages in the future.

Brass Typhoon (APT41):

  • Tactics: Known for its extensive use of backdoors and custom malware to establish persistence in government and manufacturing networks.

  • Focus: Focuses on cyber espionage across Taiwan, the Philippines, and Vietnam, targeting government and military entities.

Strategic Exploitation of U.S. Infrastructure

Salt Typhoon, along with related operations like Flax Typhoon and Volt Typhoon, suggests a coordinated Chinese strategy to infiltrate and potentially control key components of U.S. critical infrastructure. These activities are part of a long-term effort to gather intelligence and prepare for future conflicts.

1. Exploitation of ISP Data:

  • Intelligence Gathering: Salt Typhoon’s access to ISP networks allows it to monitor traffic and gather intelligence on high-value targets, including government officials and corporate executives.

  • Data Exfiltration: Salt Typhoon could siphon off sensitive information, including intellectual property, financial data, and communications.

2. Telecommunications Sector:

  • Network Control: By compromising Cisco routers and other core network devices, Salt Typhoon could potentially disrupt internet traffic on a wide scale during a geopolitical conflict.

  • Surveillance Capabilities: Compromising telecom networks enhances Salt Typhoon's ability to conduct targeted surveillance on critical figures and organizations.

3. Strategic Prepositioning:

  • Sleeper Capabilities: Salt Typhoon may install hidden backdoors that can be activated during a conflict to cause widespread disruptions.

  • Rapid Escalation: In times of crisis, Salt Typhoon’s existing foothold could allow for a quick transition from espionage to full-scale disruption.

Broader Geopolitical Implications

Salt Typhoon’s operations align closely with China’s broader geopolitical strategy, particularly regarding Taiwan. By positioning itself within U.S. critical infrastructure, Salt Typhoon is prepared to disrupt communications and logistical operations in the event of a conflict, potentially delaying or crippling a U.S. response.

Conclusion

The Salt Typhoon campaign represents a critical and ongoing threat to U.S. national security. Alongside Flax Typhoon and Volt Typhoon, Chinese APTs are positioning themselves to gather intelligence and potentially cause large-scale disruptions during future conflicts. The sophistication of their toolsets, including the use of rootkits and in-memory malware, indicates that these groups are highly skilled and well-resourced, emphasizing the need for enhanced cybersecurity measures across the board.

As tensions between the U.S. and China escalate, particularly over Taiwan, the risks posed by these state-sponsored cyber actors will only increase. A coordinated defense effort is essential to mitigate the significant threats posed by campaigns like Salt Typhoon.

References:

  1. The Wall Street Journal – "China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack," September 25, 2024.

  2. The Register – "China's Salt Typhoon Cyber Spies Are Deep Inside U.S. ISPs," September 25, 2024.

  3. Dark Reading – "China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs," September 25, 2024.

  4. The Hacker News – "Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users," October 1, 2021.

2

Share this post

Cyber Roundup
Cyber Roundup
QUICKLOOK: Salt Typhoon: China's Silent Infiltration of U.S. Internet Providers
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Bob Bragg
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More