Chinas Salt Typhoon Cooks Up Cyberattacks on US ISPs

  /     /     /  
Publicated : 23/11/2024   Category : security


Chinas Salt Typhoon Cooks Up Cyberattacks on US ISPs


The state-sponsored advanced persistent threat (APT) is going after high-value communications service provider networks in the US, potentially with a dual set of goals.



A freshly discovered advanced persistent threat (APT) dubbed Salt Typhoon has reportedly infiltrated Internet service provider (ISP) networks in the US, looking to steal information and potentially set up a launchpad for disruptive attacks.
Citing people familiar with the matter,
the Wall Street Journal broke
the news on Sept. 25 that the Chinese-sponsored state hackers have successfully targeted a handful of cable and broadband service providers during the campaign.
Other details are scant, but Salt Typhoons efforts highlight Chinas priorities when it comes to geopolitical realities, researchers note.
For instance, a position within the service provider network would offer valuable reconnaissance for how to further target high-value marks working for the federal government, law enforcement, manufacturers, military contractors, and Fortune 100 companies. 
Obtaining access to ISPs would make it easier to survey those users of the ISPs for information on their location and what kinds of services are being accessed, says Sean McNee, vice president of research and data at DomainTools. Bad actors could get information about the ISPs users, where they live and billing information, and what kind of access or usage they have, [who they call, and] text messages.
But the concern doesnt stop there. Given Chinas desire to control Taiwan and other assets in the region, theres very likely a military component to the campaign as well.
Based on the recent history of Chinese-sponsored cyber campaigns and 
warnings from [the Cybersecurity and Infrastructure Security Agency] and FBI
, China has escalated from surveillance-only goals toward installing an offensive capability to disrupt critical US civilian and military infrastructure, warns Sean Deuby, principal technologist at Semperis. This could potentially range from blinking the lights to dissuade US intervention to actively delaying or crippling a US response to Chinese activities.
Theres precedent for that assessment.
Microsoft outed Volt Typhoon
in January and its alarming efforts to plant itself inside military bases, critical infrastructure assets, and telecom infrastructure — all with the goal of being able to cause outages, disrupt communications, and sow panic in the event of a kinetic conflict with the US in the South China Sea. Since then, China has
denied the allegations
, while the
APT has been actively expanding
its efforts despite its cover being blown.
The development is the latest in a string of Chinese-sponsored efforts to subvert critical infrastructure in the US and destabilize Pacific Rim allies,
many flagged by Microsoft
using hurricane-related names.
For instance, a
Chinese threat actor known as Flax Typhoon
emerged a year ago, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent spy operation against entities in Taiwan. Last week, news emerged that the APT had built a
200,000-device Internet of Things (IoT) botnet
in order to gain a foothold in government, military, and critical manufacturing targets in the US.
Theres also the APT that Microsoft calls Brass Typhoon (aka APT41,
Earth Baxia
, and Wicked Panda) that recently attacked Taiwanese government agencies, Filipino and Japanese military, and energy companies in Vietnam, installing backdoors for cyberespionage purposes.  
On top of that,
other China-linked groups
have made a name for themselves in specifically targeting communications service providers, such as
Mustang Panda
, especially in Taiwan and other countries of interest.
Chinese-backed threat actors have been conducting attacks against telcos for as long as I can remember, Semperis Deuby says. Historically, their goals are to create persistence in the carrier. By that I mean they will infiltrate a target, gain a foothold, and then move laterally with the goal of maintaining persistence and extracting data from strategic targets as needed.
He adds that lurking and listening is a specialty: While Chinese government actors were behind the infamous
Operation Soft Cell campaign
in 2019, where the threat actor stole call data records, they had infiltrated some of the telcos more than five years before being discovered.
The ongoing targeting of communications infrastructure should put carriers and service providers on notice to harden their defenses.
Aside from phishing and social engineering of employees, Terry Dunlap, chief security strategist at NetRise, notes that firmware and supply chain attacks using core network gear could both be attack avenues against ISPs.
ISPs blind spots are the firmware running their devices. Most firmware contains insecure or sloppy code that can be easily exploited, if discovered, he notes. Another attack vector would be the supply chain. For example, if the Ethernet controller in a router or switch is supplied by a Chinese company, there are scenarios where malicious code or backdoors could be integrated into that Ethernet controller, providing an adversary easy access to that important piece of networking equipment.
In 2020, the World Economic Forum and its global partners developed a set of 
best practices for ISPs
(PDF), including principles such as sharing threat intelligence between peers, working more closely with hardware manufacturers to increase minimum levels of security, and improving routing security, Deuby says.
Still, as someone thats talked to many organizations about the well-understood security steps they should be taking versus their actual security posture, Im sure plenty of gaps remain.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Chinas Salt Typhoon Cooks Up Cyberattacks on US ISPs