{"id":386,"date":"2024-09-26T12:07:17","date_gmt":"2024-09-26T12:07:17","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=386"},"modified":"2024-09-26T12:07:17","modified_gmt":"2024-09-26T12:07:17","slug":"chinese-hackers-allegedly-hacked-us-isps-for-cyber-espionage","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=386","title":{"rendered":"Chinese hackers allegedly hacked US ISPs for cyber espionage"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Chinese state-sponsored hackers have been found to have gained access to multiple US internet service providers (ISPs) to establish persistence and carry out cyber espionage activities.<\/p>\n

The Chinese APT<\/a> group, Salt Typhoon, infiltrated these services in recent months in \u201cpursuit of sensitive information,\u201d\u00a0according to a WSJ report.<\/p>\n

\u201cInvestigators are exploring whether the intruders gained access to Cisco Systems routers, core network components that route much of the traffic on the internet,\u201d WSJ reported, citing people familiar with the matter. A Cisco spokesperson reportedly said \u201cno Cisco Routers were involved\u201d in the Salt Typhoon activity.<\/p>\n

The threat actor, which Microsoft also tracks as GhostEmperor and FamousSparrow, is known to have exploited unpatched Microsoft Exchange Server vulnerabilities<\/a> in 2021 to gain initial access into networks.<\/p>\n

Infecting ISPs through zero-days<\/h2>\n

It has become quite commonplace for hackers linked with the Chinese government to attempt cyber espionage on US soil. These hackers exploit vulnerabilities in network devices and use sophisticated techniques to breach security.<\/p>\n

Previously, Black Lotus Labs observed that China\u2019s Volt Typhoon was observed was exploiting a zero-day vulnerability<\/a> in Versa Director, a software platform for managing SD-WAN infrastructure used by ISPs and managed service providers (MSPs).<\/p>\n

In February, the FBI issued an advisory<\/a> against Volt typhoon\u2019s threat activities, listing out the tactics, techniques, and procedures (TTPs) used by the group. \u201cThe US authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations \u2014 primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors \u2014 in the continental and non-continental United States and its territories, including Guam,\u201d the advisory said. <\/p>\n

In a December 2023 operation, the FBI disrupted<\/a> a fraction of the Volt Typhoon operations by pulling down a botnet of hundreds of US based small-office or home-office (SOHO) routers.\u00a0<\/p>\n

To obtain initial access, Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco. Salt Typhoon, along with another China-linked APT Flax Typhoon<\/a>, likely employs similar techniques for early infections.<\/p>\n

Salt Typhoon\u2019s activities are part of a larger pattern of Chinese cyber operations aimed at embedding within the infrastructure of foreign nations, with a focus on espionage and potential disruption. These types of attacks on ISPs are particularly dangerous because they can compromise sensitive communications, provide a foundation for future cyberattacks, and disrupt national security.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Chinese state-sponsored hackers have been found to have gained access to multiple US internet service providers (ISPs) to establish persistence and carry out cyber espionage activities. The Chinese APT group, Salt Typhoon, infiltrated these services in recent months in \u201cpursuit of sensitive information,\u201d\u00a0according to a WSJ report. \u201cInvestigators are exploring whether the intruders gained access […]<\/p>\n","protected":false},"author":0,"featured_media":387,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-386","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/386"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=386"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/386\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/387"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}