Imagine that as you are reading this blog, you are silently being monitored and the next moment, without a noise, without an alert, your data is gone. The Salt Typhoon was similar, but on a larger scale than we can imagine. Several Chinese hackers silently observed the activities of several users in the USA. Among them were high-profile state officials and workers, leaving them in a critical position. This was an unmatched incident of cyber espionage on the US telecommunications sector.
Cyber Espionage – An Art of Data Theft
Cyber Espionage can be described as online spying. It is a serious type of cyber-attack that can compromise sensitive and confidential data. Intruders or Unauthorized users who have access to this data can use it against the individual. On the state level, Cyber Espionage is even more detrimental because it compromises the classified data of the state. This data can be used against the state for economic gains or political reasons.
Cyber Espionage is categorized under advanced persistent threat (APT). In these campaigns, an intruder silently maintains a presence in the network system. This allows him to monitor the user’s activity and enables him to steal the user’s intellectual data. An APT attack is unlike traditional malware or spear phishing; it requires a great degree of sophistication and meticulous planning.
Salt Typhoon was an attack on the telecommunications sector of the US, which is alleged to be sponsored by the Chinese government. However, there have been well-planned state-sponsored attacks in the past as well, some of the notable ones included:
- A Chinese Hacker group, Weaver Ant, infiltrated a telecommunications network in an Asian firm. They created a hidden internal network and also disabled key security systems, which allowed them to conduct their activities without any alarm system. The group hijacked important data, including configuration files, credentials of the users, and the access logs. The attack was mainly directed towards the company’s information.
- Red Curl is a hacking group that has been known for Cyber Espionage activities. However, there has been a recent shift in its strategy. Red Curl started using ransomware to encrypt websites. The targeted victims would receive emails with images and attachments that would contain malware to access the data.
- APT 28 or Fancy Bear was accused by the French cybersecurity agency of launching 12 cyberattacks in 2021-2024. The attacks aimed to gather intelligence from national and organizational databases
- Konni or Opal Sleet is a North Korean-backed state group that targeted Ukraine to gain insight about the military strategies during the Russia-Ukraine War. The attackers disguised themselves as researchers from different think tanks and sent phishing emails. These emails included files with malware.
What is Salt Typhoon?
In 2022, a Chinese-sponsored cyber espionage group, Salt Typhoon, infiltrated the telecommunications network of the US. Salt Typhoon has a history of operating under other names, including GhostEmperor, FamousSparrow, or UNC2286. The group uses advanced cyber techniques to quietly infiltrate the network and steal sensitive data in the long term.
The Chinese Hackers have targeted at least 8 telecommunications firms in the US and other countries, gaining access to the user data. Even though the officials believe that the data has not been compromised, such a large-scale data theft is a national concern. Involving the communication data of high-ranking classified officials and government institutions, this attack gained attention quickly.
Understanding how Salt Typhoon Operates
Salt Typhoon operates by exploiting the Zero-day vulnerabilities in a system. Zero-day vulnerabilities refer to the system gaps and loopholes that are overlooked by the developers. After identifying these loopholes, the Salt Typhoon easily infiltrates the systems regardless of the advanced firewalls or security infrastructure.
After entering the system, Salt Typhoon moves laterally in the internal system. This involves theft of credentials, gaining administrative rights, and using compromised systems to further move within the network. It often goes undetected because of its East-West traffic, because standard security protocols require surveillance on North-South traffic.
After stealing the data, the hackers encrypt it. Encryption makes it difficult to monitor any suspicious activity because encryption acts like a mask on the content that is being stolen. This way, the hackers easily pass through the security tools that are unable to decrypt data to analyze traffic. Afterwards, the sensitive data is switched to the external servers or the sponsors of the attack.
However, the operations do not stop here. Salt Typhoon has developed sophisticated persistence mechanisms that allow it to enter the system again. These mechanisms include Back doors that allow hackers to re-enter the system, Rootkits that help hackers to hide their identity, and systems that allow hackers to re-enter regardless of the system update and reboots.
The primary target of these hackers was the high-ranking officials and government institutions. The aim was to get access to the classified data. It took 3 years for the experts to detect the Salt Typhoon attackers.
How to counter the attack?
Traditional security detection tools failed to detect the attacks because of their sophisticated nature. The only measure that can be implemented is the Zero-Trust Security. Zero trust Security operates by authorizing and authenticating all users that enter the system from inside or outside the organization. A user is authenticated at every stage of digital interaction, leaving little room for penetration.
Moreover, it was discovered that the hackers used the loopholes in the systems to swiftly pass the firewalls of the companies. The states should initially focus on repairing those zero-day vulnerabilities to secure the state networks.
Conclusion
The case of Salt Typhoons was a wake-up call to the world. If a highly developed country like the US can face such a detrimental attack, so can the others. The best practice would be to adopt safety measures like Zero-trust security to ensure secure digital networks. Moreover, run a thorough check to identify loopholes in the system that might help any intruders and hackers. Comprehensive cybersecurity campaigns should be organized to spread awareness among the public. Will you participate in such campaigns? Let us know below.
Related