Analysis Summary

As part of a coordinated cyber espionage campaign to extract sensitive data, nation-state threat actors supported by Beijing breached a few U.S. internet service providers (ISPs).

The activity has been linked to a threat actor known as FamousSparrow and GhostEmperor, which Microsoft tracks as Salt Typhoon. The report states that investigators are looking into whether the intruders were able to access Cisco Systems routers, which are essential network components that handle a large portion of internet traffic routing.

The ultimate objective of the attacks is to establish a strong presence within the target networks so that threat actors can steal confidential information or carry out destructive cyberattacks. GhostEmperor was originally discovered in October 2021 after a Russian cybersecurity company revealed the specifics of a long-running covert operation that targeted Southeast Asian targets to install a rootkit known as Demodex.

The campaign was directed towards prominent organizations in Malaysia, Thailand, Vietnam, and Indonesia as well as anomalies in Egypt, Ethiopia, and Afghanistan. As recently as July 2024, a cybersecurity company disclosed that the threat actor had gained access to one of its business partner's networks in 2023 by compromising the account of an unidentified client. It was discovered throughout the inquiry that a threat actor had infiltrated several servers, workstations, and users. The actor had used a variety of tools to communicate with a group of command-and-control (C2) servers. It was discovered that one of these tools was a Demodex variant.

This comes days after the US government claimed to have taken down the 260,000-device Raptor Train botnet, which was under the control of Flax Typhoon, another threat group with ties to Beijing. Additionally, it is the most recent in a line of state-sponsored initiatives by China to target ISPs, telecom companies, and other vital infrastructure sectors.

Impact

• Sensitive Data Theft
• Cyber Espionage
• Operational Disruption
• Unauthorized Access

Remediation

• Conduct regular, comprehensive cybersecurity training programs for employees, focusing on spear-phishing recognition and avoidance. Simulate phishing attacks to test awareness and response.
• Enforce multi-factor authentication (MFA) for all critical systems, including email, source code repositories, and proprietary software, to reduce the risk of unauthorized access.
• Apply the principle of least privilege, ensuring that only authorized personnel have access to sensitive software and source code. Regularly review and audit access control policies.
• Use advanced email filtering systems that detect and block phishing attempts, especially those involving domain spoofing and impersonation tactics.
• Employ continuous network monitoring tools to detect unauthorized access or unusual activity. Regularly audit system logs for any indicators of compromise (IoCs) or anomalous behavior.
• Deploy EDR solutions to detect and respond to malicious activity on endpoints, particularly those involving attempts to exfiltrate sensitive data.
• Ensure timely patching of software vulnerabilities in operating systems, email servers, and security tools to reduce the risk of exploitation by cybercriminals.
• Establish protocols for quickly reporting cyber incidents to relevant authorities, like the FBI or other national agencies, to assist with tracking and mitigating cybercriminal activities.
• Perform periodic penetration testing and vulnerability assessments to identify and address weaknesses in the security infrastructure.
• Leverage real-time threat intelligence feeds to stay informed about new phishing campaigns and tactics targeting industries like aerospace and defense.