China's Salt Typhoon: A Persistent Threat to Global Critical Infrastructure

Last year, the US government warned the public about China's Salt Typhoon, a sophisticated cyber espionage campaign targeting critical industries around the world. However, it appears that this threat is far from over. In a joint security alert released by 13 governments, including the US, UK, and several European nations, it has become clear that Salt Typhoon continues to pose a significant risk to global critical infrastructure.

According to the joint advisory, Salt Typhoon's hacking activities have been ongoing since at least 2019, with the group breaching global telecommunications privacy and security norms. The FBI cyber division boss, Brett Leatherman, described the group as "persistent actors" who focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers.

"These actors often modify routers to maintain persistent, long-term access to networks," warned the US and its allies. "While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks."

Salt Typhoon is a highly sophisticated threat actor that uses various tools and techniques to maintain network persistence. According to the joint advisory, these include exploiting common vulnerabilities, capturing traffic containing credentials, and abusing peering connections to steal sensitive information.

The group has been linked to three China-based entities: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology. These entities are accused of providing cyber products and services to China's Ministry of State Security and People's Liberation Army.

The US has taken action against one of these entities, imposing sanctions on Sichuan Juxinhe Network Technology in January. However, the joint advisory warns that Salt Typhoon remains a persistent threat, with the group continuing to evolve and adapt its tactics.

Global Response

The international coalition behind the joint advisory includes not only US government agencies but also those from the UK, Australia, Canada, New Zealand, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. This level of cooperation is a significant signal that the United States and its partners are united in their concerns about malicious Chinese state-sponsored cyber operations.

"Wow, that is a lot of seals on the alert," said Annie Fixler, director of the Center on Cyber and Technology Innovation at the national security think tank Foundation for Defense of Democracies. "This type of joint alert from so many partners speaks to the importance of the information and the level of confidence in the attribution."

Consequences

The consequences of Salt Typhoon's activities are far-reaching, with the group targeting sectors such as telecommunications, government, transportation, lodging, and military infrastructure networks.

"Though there are many Chinese cyber espionage actors regularly targeting the sector, this actor's familiarity with telecommunications systems gives them a unique advantage, especially when it comes to evading detection," said John Hultquist, Google Threat Intelligence Group chief analyst. "In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals."

Google's Mandiant incident response team has been working with telco companies globally to rid their networks of Salt Typhoon. The company's experience suggests that the group's tactics are highly sophisticated, making it a significant challenge for defenders.

What Can You Do?

While the joint advisory is a cause for concern, there are steps you can take to protect yourself and your organization from Salt Typhoon's activities.

"Patching these vulnerabilities if you haven't already done so" is crucial, according to the advisory. "It also describes tools and techniques that Salt Typhoon uses to maintain network persistence, move laterally across devices, capture traffic containing credentials, and abuse peering connections to steal sensitive information."