The Chinese threat actor, Salt Typhoon, has been conducting espionage activities against several high-value government and telecommunications organizations for years. Recently, they introduced new backdoor malware named GhostSpider.
Salt Typhoon, also known by aliases such as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is one of the most advanced persistent threats (APT) from the People’s Republic. Since 2023, it has infiltrated over 20 high-profile organizations worldwide. These breaches often remain undetected for years due to their sophistication. Recently, Salt Typhoon has been actively targeting US telecommunications companies like T-Mobile USA and Internet Service Providers in North America.
The Collection of Malware Used by Salt Typhoon
According to a recent analysis by Trend Micro, Earth Estries—an APT group—is capable of deploying any one of its diverse and potent payloads through access to a targeted network. The group continually expands these capabilities.
There is the Masol RAT, a cross-platform tool utilized against Linux servers belonging to Southeast Asian governments, along with the modular SnappyBee (also known as Deed RAT). In contrast, GhostSpider has been newly identified as an extensively modular backdoor that can be tailored for specific attack scenarios. This information comes from Jon Clay, Trend Micro’s vice president of threat intelligence.
“I can activate a specific module to perform one task, and it does only that. If I require something different, I activate another module. This approach makes it significantly harder for defenders and researchers to distinguish between them,” Clay explains, as each instance of GhostSpider could appear completely distinct from the others.
In addition to its backdoors, the group also has a rootkit named Demodex. Trend Micro has speculated that they might have utilized Inc ransomware in certain operations as well.
The variety in Salt Typhoon’s malware could be attributed to its operational structure. Researchers describe it as a well-organized entity composed of distinct, specialized teams. For instance, different “infrastructure teams” are responsible for managing various backdoors. The tactics, techniques, and procedures (TTPs) employed in attacks can differ greatly due to unique teams focusing on specific geographic regions and industries—making the Chinese APT notoriously difficult to identify over time. “They excel at gaining access, maintaining persistence, covering their tracks,” says Clay punctuating their sophistication in making it seem like they were never there after an operation is concluded.
How Estries Gains Entry
Since 2020, Earth Estries had been carrying out prolonged espionage attacks on governments and other targets. However, around mid-2022, their approach took a sudden turn.
“In the past, their focus was heavily on phishing employees,” Clay remembers. “These days, they’re shifting to targeting Internet-facing devices by exploiting n-day vulnerabilities and looking for any open ports, protocols, or applications they can use to gain access.”
The term “N-day” refers to newly disclosed vulnerabilities that organizations may not have yet had the opportunity to address through patching. This group tends to favor particularly risky, though now well-documented, exploits such as:
- CVE-2024-48788, a SQL injection vulnerability, impacts the Fortinet Enterprise Management Server (EMS).
- CVE-2022-3236, a code injection vulnerability in Sophos Firewalls
- The combined vulnerabilities, CVE-2023-46805 and CVE-2024-21887, enable privileged arbitrary command execution in Ivanti’s Connect Secure VPN.
- The ProxyLogon incident involved four vulnerabilities in Microsoft Exchange.
“We’re observing this trend everywhere,” Clay points out. “While emails remain a significant method for gaining access to organizations, they previously accounted for over 80% of cases. Now, I believe the percentage of attacks starting with phishing campaigns has significantly decreased.”
Chinese Island Hopping to Gov’t Cyberattack Victims
Salt Typhoon frequently avoids directly exploiting vulnerabilities within its target’s network, choosing instead to adopt a more strategic approach.
Since 2023, it has affected victims across at least four continents, including countries as varied as Afghanistan, India, Eswatini, and the United States. The highest concentration of incidents is in Southeast Asia. Impacted organizations belong to sectors such as telecommunications, technology, consulting services, chemicals manufacturing or distribution networks transportation industries alongside nonprofits—with a particular focus on government agencies being targeted more frequently than others within these fields.
Not all of these organizations serve as the hackers’ ultimate targets. For instance, a nongovernmental organization (NGO) might possess valuable data worth stealing or act as a discreet launching point for attacks on more significant government agencies. In 2023, researchers noted Salt Typhoon infiltrating consulting firms and NGOs associated with the US government and military to expedite and enhance their breaches into those governmental bodies.
