Salt Typhoon’s Reach Continues to Grow
The US government has identified a ninth telecom that was successfully hacked by Salt Typhoon.
Comments
Wannabe Techguy • December 31, 2024 12:07 PM
Of course. I’m sure those vulnerable systems help the governments do their thing.
Which is why as a non IT pro,I’ve never understood why do the pros trust any guidelines issued by governments? Are they really going to strengthen security? I’ve asked this what I think is a reasonable question before, only to get mocked as if this is High School with no actual answer.
Bob • December 31, 2024 1:16 PM
@lurker
We know that voluntary cyber security practices are inadequate to protect against even the most basic of skiddies
Arclight • December 31, 2024 3:07 PM
Now that the CALEA system is being audited top to bottom by third party remediation consultants, I expect that we will find all kinds of abuses that are happening within “lawful access” and not just by Chinese hackers.
I’m guessing some folks at a few agencies are sweating a bit now.
Dave • December 31, 2024 8:30 PM
One wonders if one hand knows what the other is doing…
Comment: From the State Council of the People’s Republic of China…
“protect the legitimate rights and interests of individuals and organizations…”
and
About this website…
“We welcome your suggestions to help us serve you better.”
Links:
https://english.www.gov.cn/policies/latestreleases/202409/30/content_WS66fab6c8c6d0868f4e8eb720.html
https://english.www.gov.cn/archive/202303/28/content_WS64227cbfc6d0f528699dc56b.html
I am currently risk adverse on purchasing products made in China.
Celos • January 2, 2025 12:24 AM
At least one good thing is coming out of this: We have now a pretty strong reference case that shows what a bad idea CALEA-type snooping interfaces are. While any competent security expert has known for decades that these are a really bad idea, the public and politicians remained, as usual, ignorant and believed in some magic security that these things have just because they are “official” and “legal”. Hence it might get a bit easier to argue against them now.
Rational Point • January 2, 2025 1:42 AM
There appears to be a Chinese “house” of espionage so to speak at work hacking some U.S. telecoms. The technical details of who they are, what vulnerabilities they are taking advantage of, and how they are getting in would be interesting.
But other than that, exactly who or what “Salt Typhoon” is or is not is up for endless debate between the executive Cabinet and Congress.
Dalin Owen • January 3, 2025 3:57 PM
In a perfect world we would have open source basebands for mobile devices, SIM cards that aren’t running ancient JavaCard junk, end-to-end encryption everywhere, and verifiably secure operating systems and chip fabrication.
Then these attacks would be largely useless. Really at the end of the day the security needs to be on the endpoint. Network security is a great goal to have and we should still try, but we are obviously can’t rely on it.
ResearcherZero • January 4, 2025 2:06 AM
Salt Typhoon and Flax Typhoon are affiliated with the Ministry for Sate Security.
Volt Typhoon instead operates under the direction of the People’s Liberation Army.
Salt Typhoon and Flax Typhoon carry out noisy espionage activities, while Volt Typhoon engages in more stealthy, long-term persistence operations which are far harder to detect.
A good jumping off point to understand what these various Chinese APTs are up to:
‘https://www.bloomberg.com/news/features/2025-01-03/chinese-cyber-hackers-terrify-us-intelligence-after-infiltrating-guam
Salt Typhoon (Earth Estries, FamousSparrow, GhostEmporer, UNC2286) mainly targets ISPs.
https://eclypsium.com/blog/the-rise-of-chinese-apt-campaigns-volt-typhoon-salt-typhoon-flax-typhoon-and-velvet-ant/
ResearcherZero • January 4, 2025 2:20 AM
The different naming conventions that various cyber security companies makes it difficult to follow who is who. Salt Typhoon is the same group that developed the Demodex rootkit.
Salt Typhoon often first attacks edge devices then moves deeper into networks and into the business partners of the company which served as their original point of entry. They also have a modular malware tool named GhostSpider where each module looks entirely different.
‘https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/
Salt Typhoon is quite sophisticated and uses multiple backdoors to maintain access.
https://industrialcyber.co/ransomware/chinese-apt-group-earth-estries-targets-critical-infrastructure-sectors-with-advanced-cyber-attacks/
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
lurker • December 30, 2024 12:40 PM
Whether it’s done by slack security practice, or deliberate backdoors, it has been gong on forever. The latest news is that our governments have have pretended such vulnerable systems are good enough for our citizens to carry out their private and public business.