{"id":1563,"date":"2025-01-17T23:58:34","date_gmt":"2025-01-17T23:58:34","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1563"},"modified":"2025-01-17T23:58:34","modified_gmt":"2025-01-17T23:58:34","slug":"us-hits-back-against-chinas-salt-typhoon-group","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1563","title":{"rendered":"US hits back against China\u2019s Salt Typhoon group"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The US is hitting back against the threat group, dubbed Salt Typhoon by Microsoft, which is allegedly behind recent cyber attacks against American telecommunications providers<\/a>, as part of a wider campaign against Chinese-based hacking.<\/p>\n

On Friday the Department of the Treasury\u2019s Office of Foreign Assets Control (OFAC) said it is sanctioning Sichuan Juxinhe Network Technology, a Sichuan-based cybersecurity company, for its alleged direct involvement in the Salt Typhoon cyber group.<\/p>\n

Also being sanctioned is\u00a0Yin Kecheng, a Shanghai-based cyber actor who allegedly was involved with the recent compromise of the Treasury network<\/a>.<\/p>\n

But experts warn it will take a lot more to deter this and other Chinese-aligned groups.<\/p>\n

In a statement, John Hultquist, chief analyst at Mandiant Intelligence, said, \u201cunfortunately, the actors behind these attacks are unlikely to be entirely deterred by these actions.\u201d<\/p>\n

\u201cBut,\u201d he added, \u201cit\u2019s important to shed a light on their operations and add as much friction as possible. Espionage is not likely to go away anytime soon, but we can expose it and adapt. These actors are certainly focused on adapting to us.\u201d<\/p>\n

Canadian-based cybersecurity consultant David Swan agreed. He said,\u00a0\u201cChina has been working to penetrate North American telecommunications for a long time \u2026 Is the PRC [People\u2019s Republic of China] going to be hard to dig out? Hell yes!\u201d<\/p>\n

\u201cI think it\u2019s a good first step,\u201d said Gabrielle Hempel, a customer solutions engineer at Exabeam who has a master\u2019s degree in global affairs and cybersecurity and is also a first year law student.<\/p>\n

But, she added, \u201c[economic] sanctions are such a gray area. In a lot of ways they are very symbolic and difficult to enforce. They show the United States is taking action. But it\u2019s not necessarily a practical way of disrupting any of these groups. An individual, yes, it might have a lot of impact if they had US financial assets or something along those lines. But state-sponsored threat actors have so many resources and protections that really make sanctions not impactive at all.\u201d<\/p>\n

For example, she said, North Korean threat actors are using cryptocurrency work-arounds to get past sanctions.<\/p>\n

\u201cWe really need to continue to work with allies and partners\u201d with tools such as \u201cnaming and shaming\u201d threat actors, offensive cyber tactics, criminal indictments, and targeting a group\u2019s supportive financial or IT infrastructure, she said.<\/p>\n

In a statement announcing the action, the Treasury Department said People\u2019s Republic of China-linked malicious cyber actors continue to target US government systems, such as the Treasury\u2019s IT systems, as well as sensitive US critical infrastructure.<\/p>\n

\u201cThe Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically,\u201d Deputy Treasury Secretary\u00a0Adewale Adeyemo said in the statement.<\/p>\n

Other recent US sanctions against Chinese threat groups include:<\/p>\n

action against Integrity Technology Group<\/a> (Integrity Tech) for allegedly providing the computer infrastructure that the Flax Typhoon group used in its operations between the summer of 2022 and fall 2023;<\/p>\n

action against Sichuan Silence Information Technology<\/a> and one of its employees, Guan Tianfeng, for their alleged involvement in a 2020 global cyberattack that exploited\u00a0zero day vulnerabilities in firewalls;<\/p>\n

against Wuhan XRZ, an alleged Wuhan, China-based Ministry of State Security (MSS) front company that the US says<\/a> has served as cover for multiple malicious cyber operations.\u00a0<\/p>\n

Stung by the Salt Typhoon attack, the Volt Typhoon compromise of IT networks <\/a>of American communications, transportation and water utilities, and the recent Treasury hack<\/a>, the US Cybersecurity and Infrastructure Security Agency (CISA) mounted a defense of its actions.<\/p>\n

This week, Jen Easterly, CISA director blogged that<\/a> China\u2019s \u201csophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, US critical infrastructure.\u201d<\/p>\n

Easterly, who may be replaced soon by the new Trump administration amid complaints by Republicans that her agency has been more focused on countering disinformation than protecting critical infrastructure, wrote that over the past two years, the CISA and industry partners have been \u201claser focused on deterring\u00a0China\u2019s cyber aggression<\/a>, working with critical infrastructure entities across the nation to identify and evict Chinese cyber actors, whether they are focused on espionage \u2014 such as the recent \u2018Salt Typhoon\u2019 campaign against US telcos \u2014 or disruption \u2014 the \u2018Volt Typhoon\u2019 campaign designed to disrupt or destroy our most sensitive critical infrastructure.\u201d \u00a0<\/p>\n

She added, \u201cwhile PRC cyber actors have attempted to evade detection by using\u00a0living off the land methods \u2014 hiding their activity within the native processes of computer operating systems \u2014 our world class team of threat hunters have detected them and assisted critical infrastructure partners in evicting them.\u201d<\/p>\n

According to FortiGuard Labs<\/a>, Salt Typhoon, which is also known to cybersecurity companies as UNC5807 (Mandiant), Earth Estrie (Trend Micro), FamousSparrow (ESET) and Ghost Emperor (Kaspersky), has been operating since 2019, going after targets in a number of countries and focusing on information theft and espionage. Among its favored tactics is exploiting CVE 2021-26855, also known as ProxyLogon, a Microsoft Exchange Server vulnerability that allows an attacker to bypass authentication. <\/p>\n

Last November, Trend Micro reported<\/a> that Salt Typhoon\/Earth Estrie also goes after unpatched instances of Ivanti Connect Secure VPN through CVE 2023-46805 and CVE 2024-21887.<\/p>\n

Trend Micro also discovered that this group is using a new backdoor. Dubbed GhostSpider, it was found after attacks on Southeast Asian telecom companies. It\u2019s a sophisticated multi-modular backdoor designed with several layers to load different modules based on specific goals. This backdoor communicates with its command and control server using a custom protocol protected by Transport Layer Security (TLS), ensuring secure communication.<\/p>\n

This Trend Micro report has lots of detail on this backdoor and on other attacks that CISOs and infosec pros may find useful.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The US is hitting back against the threat group, dubbed Salt Typhoon by Microsoft, which is allegedly behind recent cyber attacks against American telecommunications providers, as part of a wider campaign against Chinese-based hacking. On Friday the Department of the Treasury\u2019s Office of Foreign Assets Control (OFAC) said it is sanctioning Sichuan Juxinhe Network Technology, […]<\/p>\n","protected":false},"author":0,"featured_media":1564,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1563","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1563"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1563"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1563\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1564"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}