Those with firsthand knowledge of Salt Typhoon’s hack of several U.S. telecommunications companies have described the group’s actions as some of the most sophisticated cyber-espionage efforts they have ever seen. Trend Micro, a prominent security vendor, has released a report revealing the tactics, techniques, and procedures used by Salt Typhoon, which it calls one of “the most aggressive Chinese advanced persistent threat (APT) groups” currently in operation.
Although Trend Micro explicitly states that it does not have any evidence that the malware detailed in the report was used in the telecom hacks, researchers noted that several pieces of malware linked to the group have been used to infiltrate other telecommunications companies and government entities around the world. The group, tracked as “Earth Estries” and also known as FamousSparrow, GhostEmperor, and UNC2286, has used the malware in the U.S., Asia-Pacific, Middle East, and South Africa.
The report details how the group gains access, deploys malware, and remains hidden within infiltrated systems. Salt Typhoon exploits several known vulnerabilities, including:
- Ivanti Connect Secure VPN (CVE-2023-46805 and CVE-2024-21887)
- Fortinet FortiClient EMS SQL Injection Vulnerability (CVE-2023-48788)
- Sophos Firewall Code Injection (CVE-2022-3236)
- Microsoft Exchange ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
Trend Micro reports that the group often uses legitimate tools like Windows Management Instrumentation Command (WMIC.exe) or PsExec to further penetrate networks. Once inside, they deploy sophisticated malware referred to as “backdoors,” such as GhostSpider, SnappyBee, and Masol RAT. GhostSpider is a multi-modular backdoor designed to deploy various components for specific functions, enhancing its adaptability and making it harder to detect.
The report also highlights the group’s complex command and control infrastructure, managed by specialized teams, which enables them to run multiple missions simultaneously and provides additional resilience.
The ability to remain hidden in networks has raised significant concern among government officials about the intrusion into U.S. telecom networks. Sen. Mark Warner, D-Va., called it “the worst telecom hack in our nation’s history – by far,” and noted that the attackers are still present in the systems.
Despite their sophisticated tactics, the threat group does not create all of its malware from scratch. Trend Micro states that the group uses malware-as-a-service (MaaS) platforms to deploy a variety of malicious tools, allowing them to focus on planning and executing complex attacks while leveraging the latest malware technology.
The espionage campaign reportedly targeted the phones of top members of the Donald Trump campaign, including the president-elect himself, and top U.S. officials. While few details have been made public, several congressional panels have been briefed on the campaign’s details.
You can read the full report on Trend Micro’s research.
