Experts welcome economic sanctions against gang believed to be behind telecom hacks, but warn tougher action is needed.
The US is hitting back against the threat group, dubbed Salt Typhoon by Microsoft, which is allegedly behind recent cyber attacks against American telecommunications providers, as part of a wider campaign against Chinese-based hacking.
On Friday the Department of the Treasury’s Office of Foreign Assets Control (OFAC) said it is sanctioning Sichuan Juxinhe Network Technology, a Sichuan-based cybersecurity company, for its alleged direct involvement in the Salt Typhoon cyber group.
Also being sanctioned is Yin Kecheng, a Shanghai-based cyber actor who allegedly was involved with the recent compromise of the Treasury network.
But experts warn it will take a lot more to deter this and other Chinese-aligned groups.
In a statement, John Hultquist, chief analyst at Mandiant Intelligence, said, “unfortunately, the actors behind these attacks are unlikely to be entirely deterred by these actions.”
“But,” he added, “it’s important to shed a light on their operations and add as much friction as possible. Espionage is not likely to go away anytime soon, but we can expose it and adapt. These actors are certainly focused on adapting to us.”
Canadian-based cybersecurity consultant David Swan agreed. He said, “China has been working to penetrate North American telecommunications for a long time … Is the PRC [People’s Republic of China] going to be hard to dig out? Hell yes!”
“I think it’s a good first step,” said Gabrielle Hempel, a customer solutions engineer at Exabeam who has a master’s degree in global affairs and cybersecurity and is also a first year law student.
But, she added, “[economic] sanctions are such a gray area. In a lot of ways they are very symbolic and difficult to enforce. They show the United States is taking action. But it’s not necessarily a practical way of disrupting any of these groups. An individual, yes, it might have a lot of impact if they had US financial assets or something along those lines. But state-sponsored threat actors have so many resources and protections that really make sanctions not impactive at all.”
For example, she said, North Korean threat actors are using cryptocurrency work-arounds to get past sanctions.
“We really need to continue to work with allies and partners” with tools such as “naming and shaming” threat actors, offensive cyber tactics, criminal indictments, and targeting a group’s supportive financial or IT infrastructure, she said.
In a statement announcing the action, the Treasury Department said People’s Republic of China-linked malicious cyber actors continue to target US government systems, such as the Treasury’s IT systems, as well as sensitive US critical infrastructure.
“The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically,” Deputy Treasury Secretary Adewale Adeyemo said in the statement.
Other recent US sanctions against Chinese threat groups include:
- action against Integrity Technology Group (Integrity Tech) for allegedly providing the computer infrastructure that the Flax Typhoon group used in its operations between the summer of 2022 and fall 2023;
- action against Sichuan Silence Information Technology and one of its employees, Guan Tianfeng, for their alleged involvement in a 2020 global cyberattack that exploited zero day vulnerabilities in firewalls;
- against Wuhan XRZ, an alleged Wuhan, China-based Ministry of State Security (MSS) front company that the US says has served as cover for multiple malicious cyber operations.
Stung by the Salt Typhoon attack, the Volt Typhoon compromise of IT networks of American communications, transportation and water utilities, and the recent Treasury hack, the US Cybersecurity and Infrastructure Security Agency (CISA) mounted a defense of its actions.
This week, Jen Easterly, CISA director blogged that China’s “sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, US critical infrastructure.”
Easterly, who may be replaced soon by the new Trump administration amid complaints by Republicans that her agency has been more focused on countering disinformation than protecting critical infrastructure, wrote that over the past two years, the CISA and industry partners have been “laser focused on deterring China’s cyber aggression, working with critical infrastructure entities across the nation to identify and evict Chinese cyber actors, whether they are focused on espionage — such as the recent ‘Salt Typhoon’ campaign against US telcos — or disruption — the ‘Volt Typhoon’ campaign designed to disrupt or destroy our most sensitive critical infrastructure.”
She added, “while PRC cyber actors have attempted to evade detection by using living off the land methods — hiding their activity within the native processes of computer operating systems — our world class team of threat hunters have detected them and assisted critical infrastructure partners in evicting them.”
According to FortiGuard Labs, Salt Typhoon, which is also known to cybersecurity companies as UNC5807 (Mandiant), Earth Estrie (Trend Micro), FamousSparrow (ESET) and Ghost Emperor (Kaspersky), has been operating since 2019, going after targets in a number of countries and focusing on information theft and espionage. Among its favored tactics is exploiting CVE 2021-26855, also known as ProxyLogon, a Microsoft Exchange Server vulnerability that allows an attacker to bypass authentication.
Last November, Trend Micro reported that Salt Typhoon/Earth Estrie also goes after unpatched instances of Ivanti Connect Secure VPN through CVE 2023-46805 and CVE 2024-21887.
Trend Micro also discovered that this group is using a new backdoor. Dubbed GhostSpider, it was found after attacks on Southeast Asian telecom companies. It’s a sophisticated multi-modular backdoor designed with several layers to load different modules based on specific goals. This backdoor communicates with its command and control server using a custom protocol protected by Transport Layer Security (TLS), ensuring secure communication.
This Trend Micro report has lots of detail on this backdoor and on other attacks that CISOs and infosec pros may find useful.
