Threat ActorSalt Typhoon
Description
Salt Typhoon is believed to be a threat actor connected to The People's Republic of China and has been in operation since 2019. Salt Typhoon's primary targets have been within the United States, Southeast Asia and various African countries, focusing on information theft and espionage. Also known as FamousSparrow, GhostEmperor, Earth Estries and UNC2286, the group was first observed in 2024 and was believed to be responsible for infiltrating Internet Service Providers (ISPs) in the United States to obtain data related to law enforcement activities.
Aliases
- UNC2286
- RedMike
- GhostEmperor
- Earth Estries
- FamousSparrow
Common Vulnerabilities and Exposures
Targeted Industries
- Hospitality
- Government
- Telcommunications
Objectives
Cyber Espionage and Data Exfiltration
Known Tools Used
- BITSAdmin
- CertUtil
- Cheat Engine driver
- Cobalt Strike
- CrowDoor
- Demodex
- Get-PassHashes.ps1
- GhostSpider
- HEMIGATE
- JumbledPath
- Ladon
- Malleable C2
- Masol RAT
- mimkat_ssp
- NBTscan
- Powercat
- Powershell
- ProcDump
- PsExec
- PsList
- ShadowPad
- SMB
- SnappyBee
- SparrowDoor
- Token.exe
- TrillClient
- WinRAR
- WMIC
- WMIExec
- ZINGDOOR
Known Infection Vectors
- CVE-2018-0171 (Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability)
- CVE-2021-26855 (ProxyLogon)
- CVE-2021-26857 (Microsoft Exchange Server Remote Code Execution Vulnerability)
- CVE-2021-26858 (Microsoft Exchange Server Remote Code Execution Vulnerability)
- CVE-2021-27065 (Microsoft Exchange Server Remote Code Execution Vulnerability)
- CVE-2022-3236 (Sophos Firewall User Portal and Webadmin Code Injection Vulnerability)
- CVE-2023-20198 (Cisco IOS XE Web UI Privilege Escalation Vulnerability)
- CVE-2023-20273 (Cisco IOS XE webui rest Command Injection Vulnerability)
- CVE-2023-46805 (Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability)
- CVE-2023-48788 (FortiClientEMS DAS SQL injection Vulnerability)
- CVE-2024-12356 (BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection Vulnerability)
- CVE-2024-12686 (BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability)
- CVE-2024-21887 (Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability)
- CVE-2024-3400 (Palo Alto Networks PAN-OS Command Injection Vulnerability)
References
Threat Actor FamousSparrow Targeting Hotels, Governments and Businesses Worldwide (Fortinet)
https://www.fortiguard.com/threat-signal-report/4164
Salt Typhoon (MITRE)
https://attack.mitre.org/groups/G1045/
Strengthening America’s Resilience Against the PRC Cyber Threats (CISA)
https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats
Cyber threat bulletin: People's Republic of China cyber threat activity: PRC cyber actors target telecommunications companies as part of a global cyberespionage campaign (Canadian Centre for Cyber Security)
https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-prc-cyber-actors-target-telecommunications-companies-global-cyberespionage-campaign
China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack (Wall Street Journal)
https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835
