Notorious Chinese Hacking Group Salt Typhoon Lurking in European Comms Networks
A new report from Darktrace has linked the notorious Chinese hacking group Salt Typhoon to a recent intrusion against telecommunications firms in Europe, highlighting the growing threat of state-sponsored actors targeting global infrastructure.
The report reveals that Salt Typhoon has been observed using stealthy techniques such as DLL sideloading and zero-day exploits to target global infrastructure. These tactics are eerily similar to those employed by the group in previous high-profile campaigns against telecom organizations around the world.
In one of its most prolific attacks, Salt Typhoon breached up to 8 different telecom organizations over a multi-year period, stealing sensitive information from millions of American telecom customers using a high-severity Cisco flaw. The group exploited this vulnerability to gain access to networks and collect traffic from devices connected to the networks.
In the latest incident, Darktrace assessed with moderate confidence that Salt Typhoon abused legitimate tools with stealth and persistence, exploiting a Citrix NetScaler Gateway appliance to obtain initial access. From there, the criminals deployed Snappybee malware, also known as Deed RAT, which is launched using a technique called DLL side-loading.
"The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter," Darktrace explained. "This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads. Salt Typhoon and similar groups have a history of employing this technique, enabling them to execute payloads under the guise of trusted software and bypassing traditional security controls."
Darktrace says the intrusion was identified and remediated before it could escalate beyond the early stages of attack, neutralizing the threat. This highlights the vital importance of proactive, anomaly-based defense and detection above more traditional signature-based methods, especially given the rise in persistent state-sponsored threat actors.
The Importance of Proactive Defense
The incident serves as a stark reminder of the need for organizations to adopt proactive, anomaly-based defenses. Traditional signature-based methods may no longer be enough to detect and prevent advanced threats like Salt Typhoon's.
Darktrace's report emphasizes the importance of staying vigilant and monitoring networks for suspicious activity. With state-sponsored threat actors becoming increasingly sophisticated, it's more crucial than ever to have a robust defense strategy in place.
The Rise of State-Sponsored Threat Actors
The rise of persistent, state-sponsored threat actors like Salt Typhoon is a pressing concern for organizations and individuals alike. These groups are notorious for their stealthy tactics and ability to evade traditional security controls.
As the threat landscape continues to evolve, it's essential to stay informed about the latest threats and tactics employed by these groups. By doing so, organizations can take proactive steps to protect themselves and their sensitive data.
Staying Safe Online
In light of this incident, it's more important than ever to prioritize online safety and security. Here are some tips to help you stay safe:
* Keep your antivirus software up-to-date * Use strong passwords and enable two-factor authentication * Be cautious when clicking on links or opening attachments from unknown sources * Regularly monitor your networks for suspicious activity
By taking these precautions, you can significantly reduce the risk of falling victim to advanced threats like Salt Typhoon's. Stay vigilant, stay safe.
About the Author
This article was written by Ellen, a journalist with almost four years of experience in the tech industry. She has a background in Politics and International Relations from the University of Cardiff and an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing's MVC content team, working with merchants and retailers to upload content.