QUICKLOOK: Salt Typhoon, Gray-Zone Tactics, and Allegations of U.S. Cyber Espionage

Salt Typhoon and Counter-Allegations in the Sino-U.S. Cyber Conflict

BLUF:

The Chinese APT group Salt Typhoon has executed extensive campaigns targeting U.S. ISPs as part of China's broader strategy to gain strategic cyber dominance. Concurrently, China alleges that the U.S. uses "false flag" cyber tactics, where U.S. cyber forces mask their activities by posing as foreign entities, including groups like Volt Typhoon. These developments underline the need for comprehensive cybersecurity strategies and robust international cyber conflict frameworks.

---

Abstract:

Salt Typhoon, a Chinese state-sponsored APT, launched a targeted campaign against U.S. ISPs in 2024, signaling its intent to gather intelligence and potentially execute disruptive operations. This QUICKLOOK explores Salt Typhoon's tactics and other Chinese APT groups (e.g., Flax Typhoon, Volt Typhoon) and the national security implications. Additionally, it examines China's counter-allegations in the Volt Typhoon III report, which accuses U.S. cyber forces of "false flag" operations and supply chain exploitation, with the alleged support of major U.S. tech firms. This situation intensifies the cyber-attribution challenge, emphasizing the need for clear cybersecurity governance and transparent partnerships with the tech sector.

---

Salt Typhoon: Targeting Core Internet Infrastructure

Salt Typhoon has demonstrated high technical sophistication, particularly in targeting ISPs to gain access to large-scale internet infrastructure.

Key Aspects:

• Target: U.S. ISPs that are vital for handling internet traffic and communications.

• Scope: Salt Typhoon reportedly breached multiple ISP networks, exploiting critical components such as Cisco routers.

• Attribution: Microsoft and cybersecurity experts identify Salt Typhoon, also known as FamousSparrow.

• Objective: Primarily intelligence-gathering with the capacity for disruptive infrastructure attacks.

• Strategic Implications: By embedding within ISP networks, Salt Typhoon threatens the operational integrity of essential communication channels across the military, government, and private sectors.

Salt Typhoon's Capabilities and Tactics

Salt Typhoon employs advanced techniques to maintain a low profile and establish lasting access within compromised networks.

• Kernel-Mode Rootkits: Uses the Demodex rootkit to obfuscate malware, avoiding standard detection methods.

• Memory-Resident Malware: Runs exclusively in memory, bypassing traditional disk-based forensic detection.

• Exploitation of Software Vulnerabilities: Frequently leverages vulnerabilities like ProxyLogon (Microsoft Exchange) to penetrate systems.

• Living-off-the-Land Techniques: Operates within native system tools like WMI and PsExec to avoid leaving traces.

• Dormant Backdoors: Pre-positioned backdoors enable Salt Typhoon to escalate from surveillance to active disruption if needed quickly.

---

Comparative Analysis of Chinese APT Groups

A network of specialized APTs supports China's cyber strategy, each focusing on specific targets to advance China's geopolitical goals.

1. Flax Typhoon:

   • Focus: Uses a Mirai-based botnet with over 260,000 IoT devices to monitor critical U.S. infrastructure.

   • Specialization: Persistent network access via IoT vulnerabilities.

2. Volt Typhoon:

   • Focus: Preparation for disruptive attacks on U.S. military bases and infrastructure, particularly concerning Taiwan.

   • Specialization: Emphasizes pre-positioning within essential networks for potential future action.

3. Brass Typhoon (APT41):

   • Focus: Regional cyber espionage, targeting Taiwan and Indo-Pacific governmental networks.

   • Specialization: Establishes prolonged intelligence-gathering footholds within strategic regions.

---

Strategic Exploitation of U.S. Infrastructure

Salt Typhoon's infiltration of U.S. ISP networks aligns with China's strategic focus on intelligence collection and maintaining latent threats in critical infrastructure.

1. ISP Data Exploitation:

   • Intelligence Gathering: Monitors sensitive U.S. communications, including those of government and corporate entities.

   • Data Exfiltration: Acquires high-value data for advancing China's economic and geopolitical interests.

2. Control of Telecom Networks:

   • Network Manipulation: Compromises core network infrastructure, facilitating large-scale disruptions if needed.

   • Surveillance Enhancement: Access to ISP networks supports advanced surveillance of high-value U.S. targets.

3. Pre-Positioned Disruption:

   • Dormant Assets: Salt Typhoon installs backdoors poised for activation during conflicts.

   • Escalation Capability: Allows rapid transition from passive monitoring to active disruption.

---

Chinese Counter-Claims: Allegations of U.S. Cyber Espionage

China's Volt Typhoon III report accuses the U.S. of "false flag" tactics, suggesting that U.S. cyber forces use foreign-appearing methods to misattribute attacks. Allegations include "supply chain" manipulation and collaboration with U.S. tech firms to monitor foreign networks.

Highlights from China's Allegations:

1. False Flag Operations:

   • Chameleon Tactics: China alleges that U.S. cyber forces disguise operations by emulating foreign APT characteristics.

   • Marble Framework: Reportedly, this tool obscures U.S. attack origins with foreign-language markers.

2. Supply Chain Manipulation:

   • Intercepted Products: China claims that the U.S. intercepts and backdoors tech products for espionage before delivery.

   • Direct Surveillance: NSA allegedly targets telecom operators to monitor communications.

3. Global Surveillance Infrastructure:

   • Submarine Cable Tapping: China accuses the U.S. of intercepting data along global internet choke points.

   • Data Inspection: Allegedly, each intercepted data packet undergoes comprehensive examination.

4. Private Sector Collaboration:

   • Tech Industry Cooperation: China alleges U.S. tech companies, notably Microsoft, cooperate with NSA in espionage.

These accusations, although unverified, intensify the cyber-attribution conflict, adding diplomatic strain and complicating accountability in cyberspace.

---

Implications and Analysis

China's counterclaims and the Salt Typhoon campaign reveal the complexity of modern cyber conflict and underscore the challenges of clear attribution. Key insights include:

1. Attribution Ambiguity: Competing allegations highlight the inherent difficulties in definitively attributing cyber activities.

2. Diplomatic Tensions: Cyber conflicts increasingly influence diplomatic relations, especially between the U.S. and China.

3. Private Sector Influence: Accusations of tech sector collaboration in espionage underscore the strategic role of private companies in cybersecurity.

---

Conclusion

Salt Typhoon exemplifies the sophisticated threat Chinese APT groups pose, each aligned to China's broader cyber strategy. Amid growing allegations and counterclaims, the U.S.-China cyber standoff intensifies, illustrating the need for comprehensive, multi-layered cybersecurity measures and enhanced international dialogue on cyber norms.

Robust defensive strategies and transparent collaboration with tech partners are crucial to effectively addressing the persistent and complex threats of Chinese APTs and mitigating potential misattribution risks. As cyber warfare escalates, coordinated frameworks for attribution and accountability will be necessary to navigate the challenges of an increasingly contested digital landscape.

References:

• Peoples Daily Online: "Volt Typhoon III report exposes US cyber forces operations,” October 14, 2024

• GT: "GT Exclusive: Latest report shows US cyber weapon can ‘frame other countries’ for its own espionage operations,” October 14`, 2024

• WSJ: "U.S. Officials Race to Understand Severity of China’s Salt Typhoon Hacks,” October 11, 2024

• DarkReading: "Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report,” October 07, 2024