Salt Typhoon's Web of Deceit: A Decade-Long Domain Empire Exposed
For nearly a decade, the Chinese espionage crew known as Salt Typhoon has been secretly infiltrating organizations around the world, leaving a trail of digital breadcrumbs that have now been uncovered by threat intelligence firm Silent Push. The researchers have discovered dozens of domains linked to Salt Typhoon and its cousin group UNC4841, many of which were previously unreported and date back as far as 2020.
The revelation comes as part of a Monday report from Silent Push, which identified 45 domains tied to the two groups. These domains represent a significant increase in the known scope of Salt Typhoon's operations, with many having been hidden behind complex web of command and control (C2) infrastructure.
A Decade-Long Domain Empire
Salt Typhoon's domain empire is a testament to its stealthy approach to espionage. According to Silent Push, the group has used dozens of domains over the past five years to gain long-term access to victim organizations. Many of these domains were registered using fake personas, including "Shawn Francis," "Monica Burch," and "Tommie Arnold," all of whom purportedly live in the US but have physical addresses that don't exist.
ProtonMail email addresses are also prominent among the group's domain registrations, with many using the same registrant - a tactic that has been previously associated with Salt Typhoon operations. The researchers note that these domains share key registration patterns that helped them uncover the new domain names, many of which appear to be linked to Barracuda Email Security Gateways.
In one striking example, Silent Push identified a domain registered in May 2020 as newhkdaily[.]com, which appears to be a Hong Kong newspaper. While its purpose is unclear at this time, the researchers warn that it could be part of a larger Psychological Operation (PSYOP) campaign or a propaganda front.
A Ties to Chinese Spy Gangs
Salt Typhoon's domain empire has significant ties to the Chinese spy gang, which has been linked to hacking operations against major telecommunications firms in the US. The group has stolen metadata and other information belonging to "nearly every American," according to a top FBI cyber official.
UNC4841, a similar group to Salt Typhoon, is best known for its 2023 attacks that targeted CVE-2023-2868, a critical bug in some Barracuda Email Security Gateways. The group used this vulnerability to deploy custom malware and maintain access to high-value networks, including about a third of government organizations.
A Call to Action
Silent Push warns that all domains associated with Salt Typhoon and UNC4841 present a significant level of risk. To defend against this evolving threat, the researchers recommend defenders check their telemetry and historic logs against these newly-identified domains, along with low-density IP addresses observed in DNS A records for all of these domains.
"Proactive measures are crucial in defending against this evolving threat," says Silent Push. "By using these lists as hunting tools to help boot Chinese spies off critical networks, defenders can significantly reduce the risk posed by Salt Typhoon and UNC4841."