Skip to main content
Meet NetWitness at RSA Conference 2024!
Stop by our booth #254 or book a meeting with an expert. Reserve Your Spot Today!
Burger menu
Securing the Digital World

Brave the Storm: Surfing the Wake of Salt Typhoon and What We Can and Should Learn From It

  • by NetWitness

Introduction

2024 was a whirlwind year—personally, professionally, and globally. We marveled at the spectacle of the Paris Summer Olympics, where the United States led the medal count. Sweden joined NATO in March, and we held our breath during the most intense geomagnetic storm since 1989, wondering if the backbone of the Internet would survive. The European Union implemented groundbreaking regulations for artificial intelligence, while the medical world unveiled the first mRNA-based lung cancer vaccine, offering hope for a healthier future.

Amid these events, 2024 also brought numerous noteworthy and concerning incidents, compromises, and breaches. Nation-state attacks targeted senior members of the Trump-Vance and Harris-Walz campaigns, the United States Department of the Treasury was breached by threat actors sponsored by the People’s Republic of China, and we witnessed the Change Healthcare Ransomware Attack and the Snowflake Data Breach, among others.

What makes them noteworthy is not the complexity of the exploitations and compromises but the continued trend and pattern they represent over the last two decades — in addition to what could arise in the wake of these attacks given the targets and the data that was exfiltrated by the adversary.

Narrowing down the incidents, attacks, compromises, and breaches from 2024 was challenging. However, one stood out and warranted special consideration from my perspective as an individual citizen, professional, and Chief Product Officer here at NetWitness.

Narrowing down the incidents, attacks, compromises, and breaches from 2024 was challenging. However, one stood out and warranted special consideration from my perspective as an individual citizen, professional, and Chief Product Officer here at NetWitness.

Attribution is always challenging and rarely straightforward – even under the best of circumstances in the absence of human intelligence (HUMINT). However, that does not mean that it is impossible to arrive at with enough time, determination, skillset, tradecraft and access to data and infrastructure. And, in cases where advanced and sophisticated threat actors or adversaries are operating (and being supported by nation-states with ample resources) the importance being able to recognize, characterize, and ultimately qualify and adversary (atomically or at the group / unit level) becomes all the more crucial in order to understand their intent and agendas as they pursue their respective courses of action during operations and campaigns, and in the wake of them. Ideally, a deep and concrete understanding of a threat actor or adversary will enable those who are researching, responding, and defending against them and their kind in real-time and the future.

In 2024, we as a nation and an industry saw a prolific campaign carried out against several of the leading telecommunications corporations in the United Statesi ii iii. This campaign was conducted against select targets by a threat actor or adversarial group known as Salt Typhoon, a name given it by Microsoft (this adversarial group is also known as Earth Estriesiv, GhostEmperorv vi vii, FamousSparrowviii, and UNC2286 by other cybersecurity research organizations). This group and many others that have affiliation with them is sponsored by the government of the People’s Republic of China (PRC)ix being operated by the PRC’s Ministry of State Security (MSS), its secret police, and its foreign intelligence service. It should be noted that this coalescence of sponsors is not new; however, it is unique and introduces many questions into the agenda of the threat actor group, and how their target selection, attacks, operations, and ultimately campaigns may prove to be challenging beyond the threats and risks they pose in the present time. Consider the advancements that the PRC is making in two distinct and important areas of computer science discipline – specifically Next Generation Artificial Intelligencex xi xii xiii xiv xv xvi and perhaps even more concerning, the realm of Quantum Computing in terms of future riskxvii xviii xix xx xxi xxii.

Both of these quickly emerging areas pose a significant threat to the future or states of networks, communications, privacy, and the safety and security both individuals and nations the world over. In a forthcoming piece I will address concerns related to the advent of Quantum Computing and Cybersecurity in particular as the barrier of entry begins to lessen over time. Regardless, the trends associated with nation-state cyber-attacks, operations, and campaigns associated with the PRC continues following in historically sound patterns of behavior associated with the targeting and exploitation of individuals, organizations, and governments alike in order to advance its pursuit of economic, industrial, technological, and state dominance.

Salt Typhoon’s Associations and Known TTPs

By all accounts, Salt Typhoon is a well-structured and funded group with teams focusing on different regions and industry sectors (not terribly surprising but worth noting given the impactfulness of this adversarial group)xxiii xxiv, and according to threat researchers at Trend Micro, “The group…has compromised over 20 organizations, targeting various sectors including telecommunications, technology, consulting, chemical, and transportation industries, as well as government agencies and NGOs in numerous countries” xxv.

And despite that, we owe a debt of thanks and gratitude to our friends and colleagues at Trend Micro who have noted some additional detail on the victimology based on their earlier research where they noted twenty victims have been identified across a broad swath of industry verticals (including the telecommunications industry). Those industry verticals includexxvi:

  • Technology
  • Consulting
  • Chemical
  • Transportation industries
  • Government agencies
  • Non-profit organizations (NGOs)

 

And, according to the Trend team, the victims of Salt Typhoon can be found in the following countries xxvii:

  • Afghanistan
  • Brazil
  • Eswatini
  • India
  • Indonesia
  • Malaysia
  • Pakistan
  • Pakistan
  • The Philippines
  • South Africa
  • South Africa
  • Taiwan
  • Thailand
  • US
  • Vietnam

 

However, it should be noted that Salt Typhoon was likely first detected within United States government infrastructure which led to the DHS’ CISA notifying law enforcement and thus the efforts to begin investigating were kicked off xxviii xxix. And, though our friends at Trend Micro are confident in what they are seeing in terms of volume and scope of victimology, there are some debates on the total number of telecommunications corporations impacted in addition to victims en masse. For more information on that, check out the data at this link. Additionally, there were targeted several individuals – private citizens (although some would argue that they are both private and public) involved in government and politics including senior members of the Trump-Vance and Harris-Walz campaigns. Though we do not know the full gravity of this exploitation today, we can assume that it will be important and potentially prolific in future efforts carried forward by this group and its affiliates.

Salt Typhoon (as many threat actors are prone to do) leverage a wide array of tools and techniques – too many to list here. Many of these tools are well-known throughout the threat research and intelligence and greater cybersecurity industry, while others are not. As a result, I thought it would be useful to share them here to aid individuals and organizations in being better prepared and informed about the threat actor and their wares. Among those things included are various forms of malicious code, vulnerabilities (both disclosed and zero-day) intended for exploitation, and tools spanning a variety of uses:

Malware

  • GhostSpider (backdoor)
  • Masol RAT (Linux backdoor)
  • Demodex (rootkit)
  • SnappyBee (modular backdoor)
  • SparrowDoor (loader and backdoor)
  • Zingdoor (backdoor)
  • Derusbi (DLL-based backdoor)
  • Motnug (shellcode loader)
  • CROSSWALK (backdoor)

 

Vulnerabilities Exploited

  • CVE-2023-46805 (Ivanti Connect Secure VPN)
  • CVE-2024-21887 (Ivanti Connect Secure VPN)
  • CVE-2023-48788 (Fortinet FortiClient EMS)
  • CVE-2022-3236 (Sophos Firewall)
  • CVE-2021-26855 (Microsoft Exchange – ProxyLogon)
  • CVE-2021-26857 (Microsoft Exchange – ProxyLogon)
  • CVE-2021-26858 (Microsoft Exchange – ProxyLogon)
  • CVE-2021-27065 (Microsoft Exchange – ProxyLogon)

 

Additional Tools and Techniques

  • DLL side-loading
  • Living-off-the-land tactics (using legitimate tools like WMIC.exe and PsExec)
  • PowerShell downgrade attacks
  • NBTscan (network scanning tool)
  • PsExec, PsList, and ProcDump (Sysinternals tools)

 

Impact and Consequence

The impact of the operations and campaigns led and executed by Salt Typhoon have yet to fully be realized or understood. Is this the worst breach in the history of the United States, its government, and across industries as some have alluded to? That remains to be seen. What I think needs to be acknowledged, accepted, and understood is that we simply do not know just how bad off we are as a result of the actions of Salt Typhoon. We do know that the degree of impact and significance is great, just how great remains to be seen. Understanding the history of the breaches conducted by the Salt Typhoon group – those specifically that we have discussed up to this point relating to the telecommunications industry, gives us more than a little idea of just how troubling and serious the matter is. Take for instance the nature of the exploitation and compromises.

Salt Typhoon exploited and compromised core network components commonly found throughout telecommunications organizations, including technologies produced by Fortinet and core internetworking technologies manufactured by companies like Cisco Systems. These devices included routers, switches, and firewallsxxx xxxi. These compromises afforded the threat actors operating within Salt Typhoon an unprecedented level of access to the telecommunications networks and organizations they were deployed within, resulting in a rich and fertile ecosystem for them to conduct long-term, large-scale data collection, surveillance, and exfiltration. Many of the targeted systems were used for CALEA (Communications Assistance for Law Enforcement Act) requests xxxii xxxiii, enabling the threat actors to access telephony call metadata, text messages, and, in some instances, audio recordings of high-profile individuals. This persistent and unfettered access afforded the threat actors operating within the Salt Typhoon group the opportunity to lie in wait, doing what they were chartered and charged to do – observe, collect, report, advance, persist, and exfil report. This activity did not occur overnight; it is the result of a long-term strategy conducted over a number of years. By most accounts, the threat actor had been in an active operational state targeting and exploiting the victims in question since 2022.

While the total impact and net effect of these breaches has yet to be fully realized, there are several plausible outcomes being considered. Among those outcomes being considered is the creation of a report led by the United States GAO that would assess the total costs associated with administering a far-reaching and unprecedented operation that, were it to come into being, will see a massive undertaking ensue wherein enormous portions of the at-risk and/or compromised telecommunications infrastructure affected by the Salt Typhoon group will be simply ripped out and replaced with new equipmentxxxiv.

I will be honest: I cannot even fathom the total costs associated with an outcome such as this and yet in the same breath, if this is being seriously considered within the GAO, then the need for such action must be both warranted and non-negotiable. This should be both sobering and alarming to all of us — irrespective of whether or not one works in the cybersecurity industry.

What Can We Take Away From Salt Typhoon’s Activities?

Surf’s Up: Lessons and Takeaways

The Salt Typhoon breach of 2024 is a stark reminder of the evolving and persistent threats posed by nation-state actors – threats that have never subsided nor stopped, regardless of what may have superseded them in the news cycle. The activities associated with the nation-state-sponsored actors operating within this group further underscore the need for robust, well-defined and curated cybersecurity measures (forward-thinking strategy – left of bang, compensating controls, proactive defense, and thoughtful organizational self-scrutiny) and the importance of continuous vigilance in protecting sensitive and/or high-value targets including information, infrastructure, and human beings alike.

 

Key Takeaways:

  1. Nation-State Threats Are Persistent and Sophisticated: The Salt Typhoon attack highlights the advanced capabilities of nation-state actors, particularly those sponsored by the People’s Republic of China and other comparable nations, rogue nations, and proxies. These groups are well-funded, highly organized, and capable of executing complex, multi-faceted attacks – and though not a new phenomenon, a common one that has yet to be fully recognized, acknowledged, and broached with the appropriate levels of response on a national and commercial level.
  2. Importance of Comprehensive Security Measures: Organizations must implement comprehensive security measures, including advanced threat detection, intrusion prevention systems, and regular security audits, ensuring that their postures are well protected, secured, and understood to gauge and assess risk presented to the whole property and those parts (people, data, assets, etc.) which comprise their “critical assets.” The use of sophisticated tools and techniques by Salt Typhoon demonstrates the necessity of staying ahead of potential threats, and though many advancements are being made regularly in terms of defensive technology, the battle often swings in favor of the adversary.
  3. Vulnerability Management Is Crucial: Salt Typhoon exploited both disclosed and zero-day vulnerabilities, emphasizing the importance of timely patch management and vulnerability assessments. Organizations must prioritize identifying and remedying vulnerabilities to mitigate the risk of exploitation.
  4. Supply Chain and Third-Party Risks: The breach also highlights the risks associated with third-party and supply chain attacks. Organizations must ensure their partners and suppliers adhere to stringent security standards to prevent indirect compromises. These measures should see not only SBOMs, software packages, tools, and appliances regularly and deeply assessed for vulnerabilities and the potential for exploitation and compromise but also Internet infrastructures that are regularly misused and abused by threat actors, including IP addresses (v4 and v6) and DNS.
  5. Data Protection and Privacy: The access to telephony call metadata, text messages, and audio recordings of high-profile individuals underscores the need for robust data protection and privacy measures. The results have yet to be fully understood or realized. As a result, those assets compromised – including the parties to whom they belonged, may remain in jeopardy. Organizations must implement strong encryption, access controls, and monitoring to safeguard sensitive information during compromise and exfiltration.
  6. Continuous Learning and Adaptation: The Internet Threat Landscape is constantly evolving; adapting to new and novel innovations and uses of the underlying technologies that have made and continue to allow it to be a reality (rightly or wrongly). Threat actors continue to morph – adapting and adjusting to both technological innovations devised to thwart their activity and adjustments made to human behavior conceived to reduce the likelihood that an individual may be targeted, exploited, and compromised to advance a threat actor’s agenda. Now more than perhaps ever before, organizations must continuously seek to learn from past incidents, compromises, and breaches in the same way tacticians and strategists study sociopolitical historical texts and dogmas dedicated to either teaching warfare and its respective tradecraft or commenting on them in both improve their defenses while strengthening their offensive strategies. Studying breaches such as those conducted by groups like Salt Typhoon provides valuable insights into emerging threats and effective countermeasures and ought not to be trivialized or ignored entirely.

 

Recommendations for Organizations Who May Be Concerned or Targeted:

 

  1. Enhance Threat Intelligence Capabilities: Invest in threat intelligence-aware and -powered technologies in addition to in-house or retained subject matter expertise to address any organizational deficiencies within the organization’s program, staff, and/ or its respective cybersecurity teams. Sharing threat intelligence with industry peers can also help build a collective defense, and it ought not to be dismissed as a potential risk as some organizations historically have viewed this practice.
  2. Avoid the temptation of the echo chamber and invest in relationships by organizations such as the Information Sharing and Analysis Centers (ISAC) related to your organization’s industry: ISACs are organizations that provide a centralized resource for gathering information on cyber and related threats to critical infrastructure across multiple disciplines, industry verticals and sectors including government.

ISACs facilitate information sharing between the private and public sectors to enhance the security and resilience of critical infrastructure. Their value cannot be stressed enough in combating and defending against groups like Salt Typhoon and their peers. The following is a list of key functions of ISACs. Take these into consideration if and when the time comes for your organization to consider participating if it is not doing so already:

Key Functions of ISACs:

  • Information Collection and Curation: ISACs collect data on cyber threats, vulnerabilities, and incidents from various sources including — public and private alike.
  • Assessment and Analysis: ISACs analyze the collected information to identify trends, patterns, and potential threats observed in the Internet Threat Landscape targeting organizational archetypes associated with the respective ISAC in question. In doing so, they serve their members and afford them the opportunity to address known threats and emerging threats collaboratively and pre-emptively in addition to threat actors.
  • Dissemination /Distribution and Sharing: ISACs disseminate actionable threat information to their members, helping them mitigate risks and improve their security posture.
  • Collaboration Feedback and a Self-Perpetuating Cycle: They foster cooperation and communication among members, promoting a collective defense approach.

 
ISACs are industry-specific and cater to various sectors, including finance, healthcare, energy, and transportation, and continue to grow in prominence. Some examples include the Financial Services ISAC (FS-ISAC), the Health ISAC (H-ISAC), and the Multi-State ISAC (MS-ISAC) for state, local, tribal, and territorial governments.

 

Further Guidance and Considerations

  1. Conduct Regular Security Training: Provide ongoing cybersecurity training for employees to raise awareness about modern threats, threat actors, attack types common to them in addition to their patterns of behavior as it relates to targeting, exploitation, and compromise. An informed workforce is a critical line of defense and does better on any given Monday morning in thwarting attempts by motivated threat actors than one might otherwise give them credit for.
  2. Strengthen Incident Response Plans: Stressing the importance of well-structured incident response plans in order to ensure sound, swift, and meaningful response to incidents in 2025 likely sounds silly. Yet here I am stressing it once more. However, if these plans are not assessed using pre-planned full-knowledge and zero-knowledge exercises designed to evaluate and push your blue teams to their limits while fostering red teams with opportunities to push the boundaries, then they are only as valuable as the paper they are printed on. The strength in these plans lies in the ability of the organization to validate them — do not squander these opportunities!
  3. Invest in Advanced Security Technologies: Utilize advanced security technologies such as next-generation network defense and response powered by bespoke threat intelligence and complemented by AI (Classical and Generative in addition to ML and more), to detect and respond to threats in real-time with higher accuracy, fidelity, and consistency. Sufficiently advanced cybersecurity technologies afford organizations the opportunity to detect the anomalous and obvious alike, resulting in a keener understanding of incidents and breaches in addition to patterns of behavior associated with threat actors including data exfiltration, resulting in better-equipped and empowered users and organizations.
  4. Collaborate with Industry Partners: I cannot stress enough the importance of engagement in information sharing and collaboration with industry partners, government agencies, and cybersecurity organizations. It may not always be easy, but the benefits outweigh any costs and efforts, provided that thoughtful guidelines and protocols are observed within the organization and in its practical approach to sharing and collaborating in this way. Collective efforts can enhance overall security posture and resilience against sophisticated attacks.

 

Closing Thoughts

The Salt Typhoon breach is a powerful reminder to me of the ongoing challenges in cybersecurity – many of which are unnervingly familiar and, in many ways, no different than they were a decade or more ago. However, all things change. And to sit idly by believing that this will remain the case would be absurd at best and irresponsible at worst. Continuous improvement, vigilance, and a proactive approach to security are essential in safeguarding our digital world.

In his play, Henry V, William Shakespeare had his main character, King Henry V, give a powerful and inspiring speech to his troops (one might say it was the sort of speech that stirs the soul in those moments when the soul requires stirring more than ever). King Henry V famously said to his fellows and troops before launching an attack on the City of Harfleur during the Hundred Years War, “Once more unto the breach, dear friends, once more.”

This single sentence has become synonymous with calls to action, beseeching people to face challenges and the unknown with heart, courage, determination, and a sense of valor. It is often seen as a means to inspire people not on the traditional battlefield during times of trouble, hardship, and despair. This time is no different. So, I say, “Once more unto the breach, dear friends!”.

 

Sources

ihttps://www.wsj.com/politics/national-security/dozens-of-countries-hit-in-chinese-telecom-hacking-campaign-top-u-s-official-says-2a3a5cca

iihttps://apnews.com/article/united-states-china-hacking-espionage-c5351ef7c2207785b76c8c62cde6c513

iiihttps://www.securityweek.com/chinas-salt-typhoon-hacked-att-verizon-report/

ivhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html

vhttps://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/

vihttps://www.imda.gov.sg/-/media/imda/files/regulations-and-licensing/regulations/advisories/infocomm-media-cyber-security/ghostemperor-returns-with-updated-demodex-rootkit.pdf

viihttps://malpedia.caad.fkie.fraunhofer.de/actor/ghostemperor

viiihttps://www.eset.com/int/about/newsroom/press-releases/research/eset-research-discovers-famoussparrow-apt-group-spying-on-hotels-governments-and-private-companies/

ixhttps://techcrunch.com/2025/01/10/meet-the-chinese-typhoon-hackers-preparing-for-war/

xhttps://securiti.ai/china-basic-safety-requirements-for-generative-ai/#:~:text=Special%20attention%20must%20be%20paid%20to%20understanding,creating%20malware%20or%20biological%20and%20chemical%20weapons.&text=Most%20importantly%2C%20any%20information%20blocked%20per%20the,regulations%20must%20not%20be%20used%20as%20corpora

xihttps://www.wired.com/story/why-beating-china-in-ai-brings-its-own-risks/#:~:text=They%20could%20lead%20to%20outcomes,thoughts%20in%20the%20comments%20below

xiihttps://itif.org/publications/2024/08/26/how-innovative-is-china-in-ai/

xiiihttps://nationalsecurity.gmu.edu/wp-content/uploads/2023/08/The-National-Security-Threat-of-Chinese-Technological-Innovation.pdf

xivhttps://carnegieendowment.org/research/2024/08/china-artificial-intelligence-ai-safety-regulation?lang=en

xvhttps://www.uscc.gov/sites/default/files/2022-11/Chapter_3_Section_2–Chinas_Cyber_Capabilities.pdf

xvihttps://www.bankinfosecurity.com/experts-probe-ai-risks-around-malicious-use-china-influence-a-23032

xviihttps://ndupress.ndu.edu/Media/News/News-Article-View/Article/3447271/quantum-computing-a-new-competitive-factor-with-china/#:~:text=Threats%20to%20U.S.%20Encryption,of%20these%20systems%20at%20risk.&text=If%20China%20were%20to%20successfully,DOD%20and%20other%20government%20agencies

xviiihttps://www.boozallen.com/expertise/analytics/quantum-computing/chinese-cyber-threats-in-the-quantum-era.html#:~:text=Chinese%20threat%20groups%20will%20likely,behavior%20in%20the%20foreseeable%20future

xixhttps://www.sectigo.com/resource-library/quantum-computing-concerns-positive-impacts#:~:text=Quantum%20computing%20could%20revolutionize%20cybersecurity,decrypt%20sensitive%20data%20stored%20today

xxhttps://kpmg.com/xx/en/our-insights/ai-and-technology/quantum-and-cybersecurity.html#:~:text=Quantum’s%20emerging%20threats%20demand%20solutions&text=%E2%80%9CHarvest%2Dnow%2C%20decrypt%2D,more%20advanced%20quantum%20computers%20emerge

xxihttps://www.forbes.com/sites/arthurherman/2021/12/09/booz-allen-sounds-the-alarm-on-chinas-coming-quantum-harvest/

xxiihttps://www.yalejournal.org/publications/chinas-quantum-ambitions

xxiiihttps://www.smh.com.au/technology/the-chinese-hack-that-has-australia-on-high-alert-20241205-p5kw0l.html

xxivhttps://therecord.media/china-salt-typhoon-targets-southeast-asia-telecom

xxvhttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html

xxvihttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html

xxviihttps://www.trendmicro.com/en_us/research/24/k/earth-estries.html

xxviiihttps://www.nextgov.com/cybersecurity/2025/01/salt-typhoon-breach-was-first-detected-federal-networks-cisa-head-says/402227/

xxixhttps://www.fdd.org/events/2024/01/15/infrastructure-security-in-the-cyber-age-a-conversation-with-cisa-director-jen-easterly/

xxxhttps://economictimes.indiatimes.com/news/international/global-trends/salt-typhoon-unleashed-how-chinese-hackers-targeted-americas-communication-backbone/articleshow/116084149.cms

xxxihttps://wtop.com/j-j-green-national/2024/12/the-worst-telecommunications-hack-in-us-history-chinese-cyber-group-salt-typhoon-intrusions-likely-started-years-ago/

xxxiihttps://archive.ph/20241005032832/https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b

xxxiiihttps://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/

xxxivhttps://www.nextgov.com/cybersecurity/2025/01/gao-mulls-cost-evaluation-nationwide-telecom-hardware-replacement/401963/?oref=ng-author-river