China-Backed Salt Typhoon Targets U.S. Internet Providers: Report
Another threat group linked to the Chinese government reportedly has compromised important networks in the United States, this time targeting U.S. internet service providers (ISPs) to collect sensitive information from the companies and possibly to launch cyberattacks.
The Wall Street Journal, citing people familiar with the situation, reported Wednesday that the group, tracked as Salt Typhoon, in recent months has gotten access into the IT environments of several ISPs.
The WSJ report echoed a similar one by The Washington Post late last month, which noted that a Chinese hacker group had accessed at least two top U.S. providers that combined had millions of customers along with several smaller providers.
The Post story didn’t attribute the attacks to any named group and several people the news organization spoke to said the tactics and resources used in the attacks were similar to what has been used by Volt Typhoon, another China-linked group that has targeted the infrastructure of critical infrastructure organizations.
The WSJ report said that Salt Typhoon’s bad actors have gained access to broadband networks in the United States with plans to establish persistence in the infrastructure of the victim providers.
An Aggressive Adversary
Salt Typhoon is the latest example of a ramped-up and aggressive effort by the Chinese government through such threat groups to infiltrate the networks of critical infrastructure organizations. China is taking a long-term view of such cyberespionage campaigns, with operations lasting years.
U.S. law enforcement agencies like CISA, the FBI, and National Security Agency (NSA) and private cybersecurity companies last week announced that they had disrupted a massive botnet created by another group – called Flax Typhoon – was created over four years and comprised more than 20,000 internet of things (IoT) and other devices, including small office/home office (SOHO) routers, firewalls and network-attached storage (NAS) systems.
The botnet was used in a range of activities, including running distributed denial-of-service (DDoS) attacks, compromising networks and deploying malware.
Lying in Wait
Earlier this year, the United States pointed to an ongoing campaign by an advanced persistent threat (APT) group called Volt Typhoon that had gained access to networks and computers of organizations in critical infrastructure sectors – including communications, energy, transportation and water – and was continuing to hide in them, pre-positioning itself to move laterally into operational technology (OT) assets and disrupt operations if a conflict arose between China and the United States.
The group has hidden in some of those networks and computers for as long as five years, according to the agencies.
China has become a key cybersecurity concern for U.S. agencies. The Office of the Director of National Intelligence in a 2023 report called China “the broadest, most active, and persistent cyber espionage threat to the U.S. Government and private-sector networks.” FBI Director Christopher Wray has testified often about the threat China presents, testifying last year that “there’s no country that presents a more significant threat to our innovation, our ideas, our economic security, our national security than the Chinese government.”
More Typhoons in the Forecast
Cybersecurity experts said that Salt Typhoon is not the last of its kind.
“It’s likely we’re going to see more of these Typhoon variants,” John Terrill, CISO of Phosphorus Security, told Security Boulevard. “In the past, the expectation for cybersecurity teams was to build defenses to the level of capabilities of the expected attacker, which was normally hacktivists and criminals. With the increasing amount of Typhoon activity across multiple industries, I think we’re facing a new expectation that we may all have to start increasing our cybersecurity programs to account for nation-states.”
Targeting ISPs isn’t surprising, given the amount of information that runs over their networks, according to Sean McNee, vice president of research and data at DNS-based threat intelligence company DomainTools. That includes information about the providers’ users, including where they live, billing data, and the kind of access or usage they have.
“Once ISPs are targeted, these threat actors are likely searching for information that would support their original intent of reaching the users of the ISPs,” McNee said. “The most common information that would support these efforts would include call data records, text messages and location data. This is supported by several past reports that are specifically tied to Chinese-sponsored threat actors like Salt Typhoon.”
Phosphorus’ Terrill said that nation-states target ISPs “either as a pivot point into another environment or a collection point for a lot of data that traverses their infrastructure. It’s why when you’re thinking about attacker personas and capabilities, you don’t worry that much about breaking encryption – unless you’re worried about nation-states. The joke in the hacker community is that ‘math is hard,’ insinuating that you go after the endpoint as the data is already decrypted by that point.”
