Misplaced Pages

Salt Typhoon is an advanced persistent threat actor operated by the Chinese government which has conducted high profile cyberespionage campaigns with an emphasis on counterintelligence targets in the United States. The group has also infiltrated targets in dozens of other countries on nearly every continent.

Active since 2020, the group engages in widespread data theft, particularly capturing network traffic.

According to former CISA director Chris Krebs and other U.S. officials, the group is affiliated with China's Ministry of State Security (MSS). Former National Security Agency analyst Terry Dunlap has described the group as a "component of China's 100-Year Strategy."

Attribution and organization

Salt Typhoon is widely understood to be operated by China's Ministry of State Security (MSS), its foreign intelligence service and secret police.

According to Trend Micro, the group is a "well-organized group with a clear division of labor" whereby attacks targeting different regions and industries are launched by distinct actors, suggesting the group consists of various teams, "further highlighting the complexity of the group's operations."

Methodology

Salt Typhoon reportedly employs a Windows kernel-mode rootkit, Demodex (name given by Kaspersky Lab), to gain remote control over their targeted servers. They demonstrate a high level of sophistication and use anti-forensic and anti-analysis techniques to evade detection.

Targets

In addition to U.S. Internet service providers, the Slovak cybersecurity firm ESET says Salt Typhoon has previously broken into hotels and government agencies worldwide.

According to The New York Times, Salt Typhoon is unique in focusing primarily on counterintelligence targets.

Campaigns

2024 breach of U.S. Internet service provider networks

In September 2024, reports emerged that a severe cyber attack had compromised U.S. telecommunications systems. The U.S. government believes the campaign was underway for one to two years prior to its discovery, with several dozen countries compromised in the hack, including those in Europe and the Indo-Pacific. The campaign was reportedly "intended as a Chinese espionage program focused on key government officials key corporate ."

The attack targeted U.S. broadband networks, particularly core network components, including routers manufactured by Cisco, which route large portions of the Internet.

In October 2024, Salt Typhoon was discovered to have exploited U.S. internet service provider systems used by law enforcement to facilitate CALEA requests for court-authorized wiretapping. Affected networks included those of AT&T, Verizon, Lumen Technologies, and T-Mobile.

In October 2024, The Washington Post reported that the U.S. federal government formed a multi-agency team to address the hack. The same month, The New York Times reported that Salt Typhoon attempted to and may have gained access to the phones of staff of the Kamala Harris 2024 presidential campaign, as well as those of Donald Trump and JD Vance.

Salt Typhoon affected at least nine telecommunications firms in the U.S. and had also affected dozens of other countries.

Reactions

Chairman of the U.S. Senate Select Committee on Intelligence, Sen. Mark Warner called it the "worst telecom hack in our nation’s history" and noted that it makes prior cyberattacks by Russian operatives look like "child’s play" by comparison.

Matthew Pines, director of intelligence at SentinelOne, wrote "I think the Salt Typhoon hacks will be seen as the worst counterintelligence breach in U.S. history" which "gives MSS bread crumbs to trace back to and cauterize strategically critical U.S. sources and methods." He suggested the data breach was worse than the 2015 hack of the U.S. Office of Personnel Management carried out by the MSS' Jiangsu State Security Department.

The Chinese Embassy in Washington, D.C. has denied all allegations that China engages in hacking.

In retaliation for the attack, the U.S. Department of Commerce announced it would ban the few remaining operations of China Telecom operating in the U.S.

Name

Salt Typhoon is the name assigned by Microsoft and is the one most widely used to describe the group. The group has also variously been called:

• Earth Estrie by Trend Micro
• Ghost Emperor by Kaspersky Lab

• FamousSparrow by ESET

• UNC2286 by Mandiant

See also

• Cyberwarfare by China
• Chinese information operations and information warfare
• Chinese espionage in the United States
• Chinese interference in the 2024 United States elections

References

1. ^ "Malpedia: GhostEmperor". Fraunhofer Society. Archived from the original on 2024-10-08. Retrieved 2024-10-08.
2. Swan, David (2024-12-05). "The Chinese hack that has Australia on high alert". The Sydney Morning Herald. Retrieved 2024-12-05.
3. ^ Krouse, Sarah; McMillan, Robert; Volz, Dustin (2024-09-26). "China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack". The Wall Street Journal. Archived from the original on 7 Oct 2024.
4. ^ Nakashima, Ellen (6 October 2024). "China hacked major U.S. telecom firms in apparent counterspy operation". The Washington Post. Archived from the original on 7 October 2024. Retrieved 8 October 2024.
5. Lyons, Jessica (2024-09-25). "China's Salt Typhoon cyber spies are deep inside US ISPs". The Register. Archived from the original on 2024-10-08. Retrieved 2024-10-08.
6. ^ Greig, Jonathan (2024-11-25). "China's Salt Typhoon hackers target telecom firms in Southeast Asia with new malware". Recorded Future. Archived from the original on 2024-11-28. Retrieved 2024-12-31.
7. "GhostEmperor: From ProxyLogon to kernel mode". securelist.com. 30 September 2021. Archived from the original on 1 October 2024. Retrieved 8 October 2024.
8. "GhostEmperor returns with updated Demodex rootkit" (PDF). www.imda.gov.sg - Infocomm Media Development Authority. Retrieved 8 October 2024.
9. ^ Kovacs, Eduard (2024-10-07). "China's Salt Typhoon Hacked AT&T, Verizon: Report". Security Week.
10. "ESET Research discovers FamousSparrow APT group spying on hotels, governments and private companies". ESET. ESET Newsroom, WeLiveSecurity. Archived from the original on 28 November 2024. Retrieved 6 December 2024.
11. Barrett, Devlin (2024-10-26). "What to Know About the Chinese Hackers Who Targeted the 2024 Campaigns". Archived from the original on 2024-12-21. Retrieved 2024-12-31.
12. ^ Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal. Archived from the original on 5 Oct 2024.
13. Krouse, Sarah; Volz, Dustin (November 15, 2024). "T-Mobile Hacked in Massive Chinese Breach of Telecom Networks". The Wall Street Journal. Retrieved November 15, 2024.
14. Nakashima, Ellen (October 11, 2024). "White House forms emergency team to deal with China espionage hack". The Washington Post. Archived from the original on November 9, 2024. Retrieved October 12, 2024.
15. Barrett, Devlin; Swan, Jonathan; Haberman, Maggie (October 25, 2024). "Chinese Hackers Are Said to Have Targeted Phones Used by Trump and Vance". The New York Times. Archived from the original on November 10, 2024. Retrieved October 25, 2024.
16. Tucker, Eric (2024-12-27). "A 9th telecoms firm has been hit by a massive Chinese espionage campaign, the White House says". Associated Press. Retrieved 2024-12-27.
17. Volz, Dustin (December 4, 2024). "Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says". The Wall Street Journal. Archived from the original on December 4, 2024. Retrieved December 5, 2024.
18. Nakashima, Ellen (November 21, 2024). "Top senator calls Salt Typhoon 'worst telecom hack in our nation's history'". The Washington Post. Retrieved December 31, 2024.
19. Pines, Matthew (2024-12-28). "I think the Salt Typhoon hacks will be seen as the worst counterintelligence breach in US history. Though not reported yet, seems likely that the MSS compromised the FISA "selectors" in US telcos. The fallout from this is unfathomable. FBI NSD damage assessment is max pain rn" (Tweet). Retrieved 2024-12-30 – via Twitter.
20. Krouse, Sarah; Volz, Dustin; Viswanatha, Aruna; McMillan, Robert (2024-10-05). "U.S. Wiretap Systems Targeted in China-Linked Hack". The Wall Street Journal. Archived from the original on 5 Oct 2024.
21. Sanger, David E. (2024-12-16). "Biden Administration Takes First Step to Retaliate Against China Over Hack". The New York Times. Archived from the original on 2024-12-27. Retrieved 2024-12-31.
22. "AT&T, Verizon reportedly hacked to target US govt wiretapping platform". BleepingComputer. Archived from the original on 7 October 2024. Retrieved 8 October 2024.

Notes

1. Also known by the names GhostEmperor, FamousSparrow, and UNC2286

v t e Ministry of State Security
(MSS Headquarters: Yidongyuan, Xiyuan, Haidian District, Beijing, China)
Organization	Headquarters bureaus Confidential Communication International Intelligence Political & Economic Intelligence Taiwan, Hong Kong and Macao Analysis and Dissemination Operational Guidance Counterespionage Counterespionage Investigation Internal Security External Security CICIR Social Investigation Bureau CICEC CNITSEC CNNVD Technical Reconnaissance Institute of Taiwan Studies Imaging Intelligence Enterprises United States California Counterterrorism Municipal bureaus Beijing Detention Center Chongqing Shanghai Tianjin Provincial departments Anhui Fujian Gansu Guangdong Guizhou Hainan Hebei Heilongjiang Henan Hubei Hunan Jiangsu Jiangxi Jilin Liaoning Qinghai Shaanxi Shandong Shanxi Sichuan Yunnan Zhejiang Departments in autonomous regions Guangxi Inner Mongolia Ningxia Tibet Xinjiang XPCC Schools University of International Relations Hangzhou [zh] Jiangnan Social University Research institutes Nanjing Institute of Information Technology Front organizations Nanshan Temple Guanyin of Nanshan China Institute for Innovation and Development Strategy China National Technical Import and Export Corporation
Ministers	Ling Yun Jia Chunwang Xu Yongyue Geng Huichang Chen Wenqing Chen Yixin
Major international operations	Chinese intelligence activity abroad Cyberwarfare by China China's peaceful rise
Notable works	State Security Bulletin Journal of Jiangnan Social University Contemporary International Relations
Activities by country	Canada United States African Union

• Cyberespionage units of the Ministry of State Security (China)
• Cyberwarfare by China
• Chinese information operations and information warfare
• Espionage in the United States
• Cyberwarfare in the United States
• China–United States relations
• Chinese advanced persistent threat groups
• Hacking in the 2020s