Salt Typhoon
Salt Typhoon, also known by aliases including Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is an advanced persistent threat (APT) group specializing in cyberespionage activities.
The Origin of Salt Typhoon
Since at least 2020, this group has executed highly sophisticated cyberespionage campaigns globally. Known for its advanced malware arsenal and exploitation of zero-day vulnerabilities, Salt Typhoon has broadened its reach to include new industries, expanded geographies, and more aggressive tactics in 2023. This APT group's arsenal and operations demonstrate a commitment to stealth, persistence, and widespread compromise.
Targets
Salt Typhoon's Targets
Countries targeted by Salt Typhoon
Since 2023, Salt Typhoon has affected over 20 organizations across the globe. Countries impacted include:
- Asia-Pacific: Afghanistan, India, Indonesia, Malaysia, Pakistan, the Philippines, Taiwan, Thailand, and Vietnam.
- Africa: Eswatini, South Africa.
- Americas: Brazil, United States.
Image source: Trend Micro
Industries targeted by Salt Typhoon
Salt Typhoon now targets a wider range of industries, including technology, consulting, chemical, transportation, government agencies, and non-profit organizations, reflecting a highly opportunistic and strategic approach.
Industries targeted by Salt Typhoon
Salt Typhoon now targets a wider range of industries, including technology, consulting, chemical, transportation, government agencies, and non-profit organizations, reflecting a highly opportunistic and strategic approach.
Victims targeted by Salt Typhoon
Victims typically include government agencies and tech companies involved in innovation, defense, and critical national infrastructure. The targeted organizations often face advanced lateral movement tactics once compromised.
Attack Method
Salt Typhoon's Attack Method
Compromises administrative accounts via credential theft or malware infection, often exploiting SMB or Windows Management Instrumentation (WMI).
Exploits vulnerabilities in widely used systems, including:
- Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887)
- Fortinet FortiClient EMS (CVE-2023-48788)
- Sophos Firewall (CVE-2022-3236)
- Microsoft Exchange (ProxyLogon vulnerabilities: CVE-2021-26855, etc.)
Deploys tools such as DLL sideloading and registry manipulations to gain system-level access.
Employs obfuscation techniques including the GhostSpider backdoor and "living-off-the-land" tactics with tools like WMIC.exe and PsExec, PowerShell downgrade attacks, and masquerading techniques to bypass detection.
Deploys stealers such as SnappyBee (Deed RAT) or custom stealers like TrillClient for harvesting credentials and browser data.
Performs domain trust discovery and network reconnaissance to map the victim environment.
Propagates malware using SMB and WMI commands, deploying backdoors across multiple machines.
Focuses on sensitive files (e.g., PDFs) and uses advanced techniques like SnappyBee to steal credentials and session tokens.
Deploys malicious payloads via Cobalt Strike, custom backdoors (e.g., Zingdoor or GhostSpider), and HemiGate.
Transfers collected data to external servers or services like AnonFiles, File.io, and public repositories.
Ensures persistence and removes evidence of infection by cleaning up existing malware after each operational round.
Initial Access
Compromises administrative accounts via credential theft or malware infection, often exploiting SMB or Windows Management Instrumentation (WMI).
Exploits vulnerabilities in widely used systems, including:
- Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887)
- Fortinet FortiClient EMS (CVE-2023-48788)
- Sophos Firewall (CVE-2022-3236)
- Microsoft Exchange (ProxyLogon vulnerabilities: CVE-2021-26855, etc.)
Privilege Escalation
Deploys tools such as DLL sideloading and registry manipulations to gain system-level access.
Defense Evasion
Employs obfuscation techniques including the GhostSpider backdoor and "living-off-the-land" tactics with tools like WMIC.exe and PsExec, PowerShell downgrade attacks, and masquerading techniques to bypass detection.
Credential Access
Deploys stealers such as SnappyBee (Deed RAT) or custom stealers like TrillClient for harvesting credentials and browser data.
Discovery
Performs domain trust discovery and network reconnaissance to map the victim environment.
Lateral Movement
Propagates malware using SMB and WMI commands, deploying backdoors across multiple machines.
Collection
Focuses on sensitive files (e.g., PDFs) and uses advanced techniques like SnappyBee to steal credentials and session tokens.
Execution
Deploys malicious payloads via Cobalt Strike, custom backdoors (e.g., Zingdoor or GhostSpider), and HemiGate.
Exfiltration
Transfers collected data to external servers or services like AnonFiles, File.io, and public repositories.
Impact
Ensures persistence and removes evidence of infection by cleaning up existing malware after each operational round.
MITRE ATT&CK Mapping
TTPs used by Salt Typhoon
TA0001: Initial Access
T1078
Valid Accounts
TA0002: Execution
T1059
Command and Scripting Interpreter
T1047
Windows Management Instrumentation
TA0003: Persistence
T1543
Create or Modify System Process
T1547
Boot or Logon Autostart Execution
T1574
Hijack Execution Flow
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0004: Privilege Escalation
T1134
Access Token Manipulation
T1543
Create or Modify System Process
T1547
Boot or Logon Autostart Execution
T1574
Hijack Execution Flow
T1078
Valid Accounts
T1053
Scheduled Task/Job
TA0005: Defense Evasion
T1134
Access Token Manipulation
T1036
Masquerading
T1027
Obfuscated Files or Information
T1070
Indicator Removal
T1574
Hijack Execution Flow
T1562
Impair Defenses
T1078
Valid Accounts
TA0006: Credential Access
T1056
Input Capture
TA0007: Discovery
T1482
Domain Trust Discovery
T1087
Account Discovery
TA0008: Lateral Movement
T1021
Remote Services
TA0009: Collection
T1113
Screen Capture
TA0011: Command and Control
T1071
Application Layer Protocol
TA0010: Exfiltration
T1567
Exfiltration Over Web Service
TA0040: Impact
No items found.
Platform Detections
How to detect Salt Typhoon with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a cyberattack.
FAQs
What industries are most affected by Salt Typhoon?
Salt Typhoon targets technology, consulting, chemical, transportation, government, and non-profits.
What are the newest tools used by Salt Typhoon?
New additions include GhostSpider backdoor, SnappyBee stealer, and the Demodex Rootkit.
How does Salt Typhoon maintain stealth?
They use living-off-the-land techniques and advanced rootkits like Demodex.
What vulnerabilities do they exploit?
Recent exploits include vulnerabilities in Ivanti Connect Secure, Sophos Firewall, and Microsoft Exchange.
How does Salt Typhoon exfiltrate data?
Stolen data is uploaded to AnonFiles, File.io, or sent via encrypted emails.
Are they linked to other groups?
There are overlaps with Chinese APTs such as FamousSparrow and other government-linked entities.
How can organizations detect their activity?
Monitor for unusual PowerShell commands, DLL sideloading, and Cobalt Strike beacons.
What is the threat to the supply chain?
Salt Typhoon exploits contractor machines to infiltrate multiple organizations through trusted supply chain relationships.
What measures mitigate attacks?
Deploy endpoint detection tools, enforce patch management, and monitor traffic for known C&C patterns.
What is the international response?
Collaborative intelligence sharing and unified strategies are essential for mitigating the growing threat.