NSA, FBI, Others Say Chinese Tech Firms are Aiding Salt Typhoon Attacks – Source: securityboulevard.com

Intelligence agencies in the United States and more than a dozen other countries are putting a focus on three Chinese companies they say are supporting the state-sponsored threat group Salt Typhoon’s hacking and cyber-espionage attacks around the world.

In a joint report that also details the advanced persistent threat (APT) group’s methods and tactics, the agencies this week wrote that Sichuan Juxinhe Network Technology Co., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. are supplying products and services to intelligence services China – including various units in the People’s Liberation Army and Ministry of State Security – that are used in the Salt Typhoon operations, which have been running since 2021.

“The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” the agencies wrote in the report.

The agencies include the U.S. National Security Agency, CISA, FBI, and Department of Defense Cyber Crime Center, and counterparts from the UK, Canada, Australia, New Zealand, Italy, Germany, Finland, Czech Republic, Japan, the Netherlands, Spain, and Poland.

A Focus on Private Companies

The naming of the three companies follows similar efforts by U.S. intelligence agencies to highlight the connections between Chinese intelligence agencies, state-sponsored threat groups, and commercial entities in the country.

In March, the U.S. Justice Department (DOJ) indicted 12 Chinese nationals for hacking into computer systems of a range of individuals and organizations in the United States and elsewhere, with prosecutors saying the charges revealed an extensive and long-standing use of private companies and freelance threat actors in hacker-for-hire operations.

In this latest report, “the three China-based technology companies provide cyber-related services to the Chinese intelligence services and are part of a wider commercial ecosystem in China, which includes information security companies, data brokers and hackers for hire,” the UK’s National Cyber Security Centre wrote.

John Hultquist, chief analyst with the Google Threat Intelligence Group, in an email statement described an “ecosystem of contractors, academics, and other facilitators … at the heart of Chinese cyber espionage. Contractors are used to build tools and valuable exploits as well as carry out the dirty work of intrusion operations. They have been instrumental in the rapid evolution of these operations and growing them to an unprecedented scale.”

Attacking the Telecoms

Salt Typhoon is best known for its widespread attacks compromising the broadband networks of U.S. telecoms as Verizon, AT&T, T-Mobile, and others to attain persistence and steal data. However, the ATP group has attacked organizations in such areas as critical infrastructure in the United States and around the globe, with Hultquist saying that “reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals. Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”

He also said that while there are many Chinese-sponsored espionage groups targeting the telecom sector, Salt Typhoon’s “familiarity with telecommunications systems gives them a unique advantage, especially when it comes to evading detection. Many of the highly successful Chinese cyber espionage actors we encounter have deep expertise in the technologies used by their targets, giving them an upper hand.”

Exploiting CVEs for Initial Access

According to the report this week, the Salt Typhoon actors are exploiting known common vulnerabilities and patched security flaws in compromised infrastructure, in particular CVE-2024-21887 (Ivanti Connect Secure and Policy Secure command injection flaw), CVE-2024-3400 (Palo Alto Networks’ PAN-OS GlobalProtect remote code execution, or RCE), CVE-2023-20273 (Cisco IOS XE software command injection and privilege escalation), CVE-2023-20198 (Cisco IOS XE authentication bypass), and CVE-2018-0171 (Cisco IOS and IOS XE smart install RCE).

“To maintain persistent access to target networks, the APT actors use a variety of techniques,” the intelligence agencies wrote. “Notably, a number of these techniques can obfuscate the actors’ source IP address in system logs, as their actions may be recorded as originating from local IP addresses.”

Once in the devices, Salt Typhoon then targets authentication protocols and infrastructure to enable lateral movement through network devices, with the report noting that “capturing network traffic containing credentials via compromised routers is a common method for further enabling lateral movement.”

Persistence is Key

The threat group’s malicious activity is aimed at establishing persistent and long-term access to networks, with the APT actors maintaining more than one method of access. The agencies said critical infrastructure operators should run red-teaming operations and incident responses, and encouraged defenders to define and understand the full extent of the threat group’s access to networks, and then to remove them simultaneously.

“Partial response actions may alert the actors to an ongoing investigation and jeopardize the ability to conduct full eviction,” the agencies wrote. “Incident response on one network may also result in the APT actors taking measures to conceal and maintain their access on additional compromised networks, and potentially disrupt broader investigative and operational frameworks already in progress.”

They also encouraged defenders to monitor configuration changes, virtualized containers, network services and tunnels, firmware and software integrity, and logs.