Chinas Salt Typhoon Cooks Up Cyberattacks on US ISPs

pThe statesponsored advanced persistent threat APT is going after highvalue communications service provider networks in the US potentially with a dual set of goalsppSeptember 25 2024ppA freshly discovered advanced persistent threat APT dubbed Salt Typhoon has reportedly infiltrated Internet service provider ISP networks in the US looking to steal information and potentially set up a launchpad for disruptive attacksppCiting people familiar with the matter the Wall Street Journal broke the news on Sept 25 that the Chinesesponsored state hackers have successfully targeted a handful of cable and broadband service providers during the campaignppOther details are scant but Salt Typhoons efforts highlight Chinas priorities when it comes to geopolitical realities researchers noteppFor instance a position within the service provider network would offer valuable reconnaissance for how to further target highvalue marks working for the federal government law enforcement manufacturers military contractors and Fortune 100 companies ppObtaining access to ISPs would make it easier to survey those users of the ISPs for information on their location and what kinds of services are being accessed says Sean McNee vice president of research and data at DomainTools Bad actors could get information about the ISPs users where they live and billing information and what kind of access or usage they have who they call and text messagesppBut the concern doesnt stop there Given Chinas desire to control Taiwan and other assets in the region theres very likely a military component to the campaign as wellppBased on the recent history of Chinesesponsored cyber campaigns and warnings from the Cybersecurity and Infrastructure Security Agency and FBI China has escalated from surveillanceonly goals toward installing an offensive capability to disrupt critical US civilian and military infrastructure warns Sean Deuby principal technologist at Semperis This could potentially range from blinking the lights to dissuade US intervention to actively delaying or crippling a US response to Chinese activitiesppTheres precedent for that assessment Microsoft outed Volt Typhoon in January and its alarming efforts to plant itself inside military bases critical infrastructure assets and telecom infrastructure all with the goal of being able to cause outages disrupt communications and sow panic in the event of a kinetic conflict with the US in the South China Sea Since then China has denied the allegations while the APT has been actively expanding its efforts despite its cover being blownppThe development is the latest in a string of Chinesesponsored efforts to subvert critical infrastructure in the US and destabilize Pacific Rim allies many flagged by Microsoft using hurricanerelated namesppFor instance a Chinese threat actor known as Flax Typhoon emerged a year ago using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent spy operation against entities in Taiwan Last week news emerged that the APT had built a 200000device Internet of Things IoT botnet in order to gain a foothold in government military and critical manufacturing targets in the USppTheres also the APT that Microsoft calls Brass Typhoon aka APT41 Earth Baxia and Wicked Panda that recently attacked Taiwanese government agencies Filipino and Japanese military and energy companies in Vietnam installing backdoors for cyberespionage purposes  ppOn top of that other Chinalinked groups have made a name for themselves in specifically targeting communications service providers such as Mustang Panda especially in Taiwan and other countries of interestppChinesebacked threat actors have been conducting attacks against telcos for as long as I can remember Semperis Deuby says Historically their goals are to create persistence in the carrier By that I mean they will infiltrate a target gain a foothold and then move laterally with the goal of maintaining persistence and extracting data from strategic targets as neededppHe adds that lurking and listening is a specialty While Chinese government actors were behind the infamous Operation Soft Cell campaign in 2019 where the threat actor stole call data records they had infiltrated some of the telcos more than five years before being discoveredppThe ongoing targeting of communications infrastructure should put carriers and service providers on notice to harden their defensesppAside from phishing and social engineering of employees Terry Dunlap chief security strategist at NetRise notes that firmware and supply chain attacks using core network gear could both be attack avenues against ISPsppISPs blind spots are the firmware running their devices Most firmware contains insecure or sloppy code that can be easily exploited if discovered he notes Another attack vector would be the supply chain For example if the Ethernet controller in a router or switch is supplied by a Chinese company there are scenarios where malicious code or backdoors could be integrated into that Ethernet controller providing an adversary easy access to that important piece of networking equipmentppIn 2020 the World Economic Forum and its global partners developed a set of best practices for ISPs PDF including principles such as sharing threat intelligence between peers working more closely with hardware manufacturers to increase minimum levels of security and improving routing security Deuby saysppStill as someone thats talked to many organizations about the wellunderstood security steps they should be taking versus their actual security posture Im sure plenty of gaps remainppTara Seals Managing Editor News Dark ReadingppppTara Seals has 20 years of experience as a journalist analyst and editor in the cybersecurity communications and technology space Prior to Dark Reading Tara was Editor in Chief at Threatpost and prior to that the North American news lead for Infosecurity Magazine She also spent 13 years working for Informa formerly Virgo Publishing as executive editor and editorinchief at publications focused on both the service provider and the enterprise arenas A Texas native she holds a BA from Columbia University lives in Western Massachusetts with her family and is on a neverending quest for good Mexican food in the NortheastppYou May Also LikeppThe Unreasonable Effectiveness of Inside Out Attack Surface ManagementppCybersecurity Outlook 2025ppManaging ThirdParty Risk Through Situational Awarenesspp2024 InformationWeek US IT Salary ReportppThe Unreasonable Effectiveness of Inside Out Attack Surface ManagementppThe Future of Cybersecurity is Passwordless and KeylessppThe Definitive Guide to Container SecurityppTop 10 CICD Security Risks The Technical GuideppInsider Risk Programs 3 Truths and a LieppPurple AI DatasheetppCybersecurity Outlook 2025ppCopyright 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place London SW1P 1WGp