Salt Typhoon, a highly sophisticated Chinese hacking group, has breached significant sectors in North America and Southeast Asia. Continue reading this Cybersecurity Threat Advisory to learn more about this notorious group and how to prevent your organization to become the next victim.
What is the threat?
Salt Typhoon is a highly skilled hacking group that uses sophisticated methods to access networks and exploiting software vulnerabilities. Salt Typhoon is the name that Microsoft gave to this China-based threat actor. Other cybersecurity companies are tracking the adversary as Earth Estries, FamousSparrow, Ghost Emperor, or UNC2286.
Salt Typhoon carried out a massive cyberattack leveraging backdoors in the US internet service provider (ISP) networks, especially AT&T and Verizon, to target systems used for court-authorized surveillance. By breaching these secure networks, they have acquired access to highly classified information, posing severe concerns to the surveillance infrastructure.
Why is this noteworthy?
Salt Typhoon’s attacks are an immediate threat to the privacy of sensitive communications and personal data. Their attack on ISPs demonstrate that even secured critical systems can be compromised, which raises concerns to the data and surveillance system’s security.
Salt Typhoon threat actors adapt their tactics, methods, and procedures (TTPs) to the victim’s environment by thoroughly researching network architecture, user behaviors, and security standards. They target known or zero-day vulnerabilities in publicly visible network equipment such as VPNs, routers, and firewalls to gain initial access. Upon successful exploitation, they look for administrator credentials, frequently via privilege escalation vulnerabilities or credentials stored insecurely on network appliances to maintain persistence. Using valid credentials, they travel laterally via the network, attacking domain controllers (DCs) and extracting vital information. The group’s use of backdoors allows them to manipulate routers and communication channels, which poses threats such as data exfiltration and disruption of essential communication services.
What is the exposure or risk?
Salt Typhoon’s advance illicit cyber operations pose serious threats to the telecoms and national security sectors. They can gain access to sensitive data, including court-authorized wiretaps and communication networks, by hacking into internet service providers (ISPs). This exposure jeopardizes communication privacy by enabling unwanted data capture and exfiltration, and potentially disrupting crucial investigations into national security threats.
Additionally, Salt Typhoon’s ability to exploit weaknesses in routers, VPNs, and firewalls can allow for lateral movement across networks. This increases the potential of extensive data modification after achieving privilege escalation. The damage of key infrastructure threatens both the functionality of secure communication systems and public trust in authorized surveillance methods.
What are the recommendations?
Barracuda recommends the following actions to protect your environment against potential attacks:
- Implement firewalls, intrusion detection/prevention systems (IDPS), and endpoint protection solutions to safeguard against unauthorized access and malicious activities.
- Schedule routine security audits and penetration testing to identify and remediate vulnerabilities within your networks.
- Enforce strict access control measures, including multi-factor authentication (MFA) and role-based access, to limit exposure of sensitive data and systems.
- Conduct regular training to educate employees on phishing, social engineering, and cybersecurity best practices.
- Create and regularly update an incident response plan to ensure your organization is prepared to handle potential breaches effectively.
- Establish a robust data protection plan in case of a breach.
- Regularly update and patch all software, operating systems, and applications to protect against known vulnerabilities and exploits.
References
For more in-depth information about the recommendations, please visit the following links:
- Reports: China hacked Verizon and AT&T, may have accessed US wiretap systems – Ars Technica
- AT&T, Verizon reportedly hacked to target US govt wiretapping platform (bleepingcomputer.com)
- S. Officials Race to Understand Severity of China’s Salt Typhoon Hacks (msn.com)
- The 30-year-old internet backdoor law that came back to bite | TechCrunch
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
