Salt Typhoon – also known as GhostEmperor – intensified its aggressive cyber operations in 2024, escalating attacks against critical infrastructure. Securin’s research team analyzed the group’s campaigns, tactics, and techniques, along with the broader implications for defenders, particularly those working in critical sectors.
The Perfect Storm
Salt Typhoon’s aggressive campaigns against critical infrastructure represent a significant threat to national security and economic interests.
The China-linked group has compromised major US telecoms providers – including AT&T, T-Mobile and Verizon, with secure government communications among the data believed to have been exposed. The breach of wiretap systems indicates a strategic shift towards long-term cyberespionage.
Key Operational & Strategic Impacts
- Compromised Internet Service Providers (ISPs) and broadband providers could lead to widespread data interception and network manipulation.
- Breached wiretap systems may compromise law enforcement operations and sensitive investigations.
- The targeting of multiple countries suggests a broad intelligence gathering campaign, potentially aimed at economic or political espionage.
- Focus on telecommunications infrastructure indicates a strategic move to establish long-term persistence and data collection capabilities.
Targets, Tools, Tactics & Techniques
Salt Typhoon’s operations in 2024 revealed a significant evolution in tactics and strategic focus. The group expanded its geographical reach: Italy, Spain, Taiwan, Turkey and the UK were all hit in July 2024. By September, the group had narrowed its focus to US providers.
Throughout its operations, the group demonstrated an expanded and diverse toolkit:
What does all of this mean? Let’s break things down:
1. The introduction of new malware, like GHOSTSPIDER, alongside continued use of old favorites Mimikatz and ProcDump highlights the group’s ability to adapt and evolve tactics.
2. The use of both custom and publicly available tools complicates attribution and incident response efforts – a hallmark of advanced persistent threats (APTs).
3. Diverse tactics demonstrate sophisticated techniques across the entire attack cycle, from initial access to persistence and data exfiltration.
In real world, operational terms, what we see here is a group capable of adapting to different environments to evade detection.
Best Defense:To mitigate threats like these, organizations must implement multi-layered defenses, and regularly update threat detection capabilities.
Vulnerabilities Exploited by Salt Typhoon
Salt Typhoon targets high-severity vulnerabilities in enterprise security products and VPN solutions. The exploited vulnerabilities allow for remote code execution (RCE) and authentication bypass, enabling initial access and lateral movement.
Compromised security infrastructure could lead to complete network takeover. Exploiting VPN vulnerabilities may allow attackers to bypass perimeter defenses and access internal networks.
Best Defense: The targeting of security products underlines the importance of timely patching and vendor management. Reassess reliance on single-point security solutions and implement defense-in-depth strategies.
Mitigating the Risks Posed by Salt Typhoon & Similar Threat Actors
Salt Typhoon’s exploitation of high-severity vulnerabilities in enterprise security products and VPN solutions (CVE-2023-48788, CVE-2024-21887, CVE-2023-46805) underscores their focus on gaining initial access and maintaining persistence within target networks. This approach aligns with their broader strategy of establishing long-term footholds in re for sustained cyber espionage operations.
Bottom Line: Telecommunications and ISPs must implement rigorous security measures, including regular vulnerability assessments and network segmentation. Government agencies should enhance information sharing and collaborative defense strategies to counter sophisticated state-sponsored threats.
Risk Mitigation Recommendations:
1. Implement robust patch management processes, prioritizing vulnerabilities in security infrastructure.
2. Enhance network monitoring capabilities to detect anomalous behavior and potential lateral movement.
3. Conduct regular threat hunting exercises, focusing on indicators associated with Salt Typhoon’s TTPs.
4. Strengthen authentication mechanisms, particularly for remote access and privileged accounts.
5. Develop and test incident response plans specifically tailored to APT intrusions.
Salt Typhoon is likely to continue targeting critical infrastructure, with a possible expansion into other sectors such as energy and finance. In order to compromise a broader range of targets, the group may increase its use of supply chain attacks. Expect further development of custom malware and exploitation techniques to evade evolving defense mechanisms.
Salt Typhoon’s aggressive campaign in 2024 represents a significant threat to national security and economic interests. Organizations must adopt a proactive and multi-layered approach to cybersecurity to mitigate the risks posed by this sophisticated adversary.