A sophisticated Chinese state-sponsored hacking group, known as Salt Typhoon, has been linked to breaches of at least nine U.S.-based telecommunications companies, targeting prominent government and political figures.
As part of an ongoing investigation, Tenable Research delves into the tactics, techniques, and procedures (TTPs) employed by this advanced persistent threat (APT) actor, revealing its focus on espionage and exploitation of known vulnerabilities within critical infrastructure.
U.S. Government Confirms State-Sponsored Intrusions
Throughout 2024, APT-related cyberattacks from threat actors affiliated with the People’s Republic of China (PRC) were a significant concern for U.S. authorities, including the Cybersecurity and Infrastructure Security Agency (CISA).
In September, reports surfaced alleging that Salt Typhoon had infiltrated multiple U.S. telecommunications networks.
This claim was formally confirmed in early October when the FBI and CISA jointly issued a statement acknowledging unauthorized intrusions into commercial telecom infrastructure by PRC-linked actors.
By late December, the White House disclosed that at least nine telecom companies had been compromised, underscoring the severity of this national security threat.
Salt Typhoon, also tracked as FamousSparrow, GhostEmperor, Earth Estries, and UNC2286, is known for targeting the telecom, government, and technology sectors on a global scale.
In the U.S., its primary focus reportedly includes government officials involved in sensitive political activities.
This prompted the White House to issue an executive order, “Strengthening and Promoting Innovation in the Nation’s Cybersecurity,” to enhance defenses against such threats.
Exploitation of Known Vulnerabilities and Initial Access Tactics
Salt Typhoon’s modus operandi commonly involves exploiting publicly known vulnerabilities in external-facing systems to gain initial access to target networks.
Prominent among these are the “ProxyLogon” vulnerabilities in Microsoft Exchange Server (CVE-2021-26855) and critical flaws in widely used enterprise solutions, such as Sophos Firewall (CVE-2022-3236), Fortinet’s FortiClientEMS (CVE-2023-48788), and Ivanti Connect Secure (CVE-2024-21887 and CVE-2023-46805).
These CVEs, boasting high CVSS scores (8.2–9.8), have been instrumental in Salt Typhoon’s incursions.
Four of these vulnerabilities were leveraged as zero-day exploits in broader campaigns prior to patch releases.
Despite the availability of patches for these vulnerabilities, many organizations have struggled to implement timely updates.
A Tenable analysis revealed that of almost 30,000 systems impacted by ProxyLogon, 91% remain unpatched.
In addition to exploiting these vulnerabilities, Salt Typhoon has targeted Cisco network devices, prompting CISA’s guidance to disable or properly configure the Smart Install feature, which is frequently abused by attackers to maintain persistence.
The group employs custom malware, such as GhostSpider, SnappyBee, and the Masol Remote Access Trojan (RAT), to maintain long-term access.
Reports indicate that Salt Typhoon has operated undetected for extended periods, often maintaining access to telecommunications infrastructure for months before discovery.
Outgoing CISA Director Jen Easterly confirmed that these actors were previously detected on U.S. government networks, illustrating their ability to penetrate high-value targets.
Salt Typhoon is part of a broader family of PRC-affiliated threat actors, collectively referred to under the “Typhoon” codename.
Other groups, such as Volt Typhoon and Flax Typhoon, share similar TTPs but focus on different targets.
Volt Typhoon is known for stealth operations targeting critical infrastructure, while Flax Typhoon has been linked to building botnets through compromised Internet of Things (IoT) devices.
Across the spectrum, these groups exploit unpatched vulnerabilities in public-facing servers, emphasizing the importance of proactive patching to mitigate risks.
