Salt Typhoon, active since 2020, is an advanced persistent threat (APT) group linked to the Chinese government, reportedly operating under the Ministry of State Security (MSS). This group, also known by aliases like Ghost Emperor (Kaspersky), FamousSparrow (ESET), and UNC2286 (Mandiant), specializes in cyberespionage campaigns targeting North America and Southeast Asia.
Sophisticated Techniques
Salt Typhoon is notorious for employing a Windows kernel-mode rootkit, codenamed Demodex by Kaspersky Lab, to gain remote control over targeted systems. The group uses advanced anti-forensic and anti-analysis techniques, making them particularly hard to detect.
Notable Campaigns
- September 2024: U.S. Broadband Breach
Salt Typhoon hacked into U.S. internet service provider (ISP) networks, including Cisco-manufactured routers. This breach targeted critical internet infrastructure, impacting data flow across the nation. - October 2024: Wiretap System Exploitation
The group exploited backdoors in ISP networks used for court-authorized wiretapping, affecting major providers like Verizon, AT&T, and T-Mobile. This intrusion reportedly exfiltrated sensitive data and raised national security concerns. - Targeting U.S. Presidential Campaigns
Reports suggest that Salt Typhoon attempted to breach the phones of staff linked to Kamala Harris’s 2024 presidential campaign, as well as those of Donald Trump and JD Vance.
Global Reach
Beyond the U.S., Salt Typhoon has breached hotels and government agencies worldwide, showcasing their versatility in targeting both public and private sectors.
Implications
Former NSA analyst Terry Dunlap describes Salt Typhoon as part of China’s “100-Year Strategy,” reflecting its long-term ambition to dominate the cyber domain. U.S. officials have acknowledged the group as a significant threat, prompting multi-agency investigations and international cybersecurity scrutiny.
Conclusion
Salt Typhoon exemplifies the rising stakes in global cyberwarfare. With its sophisticated methodologies and wide-reaching targets, it remains a critical player in China’s cyberespionage strategy, posing an ongoing challenge to national and international security.
