Analysis Summary

Multiple U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies, have been compromised by a Chinese threat group known as Salt Typhoon.

Given that the attackers may have had access to systems utilized by the federal government of the United States for court-authorized network wiretapping requests, the attack appears to have been carried out to gather intelligence. Although the exact date of the intrusion is unknown, the report, citing sources with knowledge of the situation, says that the hackers may have had access to network infrastructure for months or even longer to comply with legitimate requests for communications data from the United States.

Microsoft named this specific threat actor based in China as Salt Typhoon. The group is being tracked by additional cybersecurity firms under the names UNC2286, Ghost Emperor, FamousSparrow, and Earth Estries. The report states that the attack was only recently identified and is currently being looked at by both private-sector security professionals and the U.S. government.

The scope and nature of the observed and exfiltrated material are still being evaluated by the attack, sources with knowledge of the infiltration stated. It looks like the hackers have collected a sizable amount of internet traffic from ISPs, which serve millions of Americans and both major and small enterprises. In addition to infiltrating American service providers, Salt Typhoon might have also compromised comparable organizations elsewhere.

Salt Typhoon is a highly skilled threat actor that has been operating since at least 2019 and mostly targets government and telecoms organizations in Southeast Asia. The threat actor also targeted hotels, engineering firms, and legal firms in the following countries: Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the United Kingdom, according to security researchers.

Threat actors typically use flaws, like the ProxyLogon vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), to get early access to the target network. The threat actor employed a Windows kernel-mode malware called Demodex, a customized backdoor named SparrowDoor, and modified versions of the Mimikatz tool to extract authentication data in earlier operations attributed to Salt Typhoon/Ghost Emperor.

The initial access method is still a mystery to investigators. According to the researchers, accessing Cisco routers—which handle internet traffic routing—is one approach being investigated. A Cisco representative did, however, say that while the company was investigating, there was no proof that Cisco networking equipment was used in the incident.

Chinese APT hacking groups have been focusing more of their cyber-espionage attacks on networking devices and ISPs in the United States and Europe. Over 260,000 SOHO routers and IP cameras were infected with malware in September when a large Chinese botnet known as "Raptor Train" was taken down by law enforcement. The "Flax Typhoon" threat actors exploited this botnet to perform DDoS attacks and to operate as a conduit for covert attacks against other companies. Although various Chinese threat groups have been implicated in these operations, it is thought that they are part of the same organization and frequently share resources and infrastructure.

Impact

• Unauthorized Access
• Cyber Espionage
• Sensitive Data Theft

Remediation

• Conduct regular, comprehensive cybersecurity training programs for employees, focusing on spear-phishing recognition and avoidance. Simulate phishing attacks to test awareness and response.
• Enforce multi-factor authentication (MFA) for all critical systems, including email, source code repositories, and proprietary software, to reduce the risk of unauthorized access.
• Apply the principle of least privilege, ensuring that only authorized personnel have access to sensitive software and source code. Regularly review and audit access control policies.
• Use advanced email filtering systems that detect and block phishing attempts, especially those involving domain spoofing and impersonation tactics.
• Employ continuous network monitoring tools to detect unauthorized access or unusual activity. Regularly audit system logs for any indicators of compromise (IoCs) or anomalous behavior.
• Deploy EDR solutions to detect and respond to malicious activity on endpoints, particularly those involving attempts to exfiltrate sensitive data.
• Ensure timely patching of software vulnerabilities in operating systems, email servers, and security tools to reduce the risk of exploitation by cybercriminals.
• Establish protocols for quickly reporting cyber incidents to relevant authorities, like the FBI or other national agencies, to assist with tracking and mitigating cybercriminal activities.
• Perform periodic penetration testing and vulnerability assessments to identify and address weaknesses in the security infrastructure.
• Leverage real-time threat intelligence feeds to stay informed about new phishing campaigns and tactics targeting industries like aerospace and defense.