26 September 2024

China-linked Salt Typhoon hackers reportedly infiltrate US ISPs


China-linked Salt Typhoon hackers reportedly infiltrate US ISPs

A recently identified Chinese government-backed hacker group, known as ‘Salt Typhoon,’ has reportedly infiltrated several US Internet service providers (ISPs) in an effort to steal sensitive information, according to a Wall Street Journal report. Sources familiar with the investigation revealed that the group has been active for months, potentially accessing routers that manage critical traffic for US ISPs.

The attackers are suspected of targeting core network infrastructure, specifically routers, to gain access to confidential data. Investigators are currently exploring the possibility that Salt Typhoon accessed Cisco Systems routers, which play a key role in directing traffic for many ISPs.

For its part, Cisco said it is conducting its own investigation into the matter and that there is no indication so far that Cisco routers were involved in Salt Typhoon activity.

Salt Typhoon, aka FamousSparrow and GhostEmperor, first attracted attention in October 2021, following the discovery of a sophisticated cyber espionage campaign targeting Southeast Asia.

GhostEmperor’s campaign involved a rootkit called Demodex, which allowed the hackers to remain undetected while infiltrating high-profile organizations in countries like Malaysia, Thailand, Vietnam, and Indonesia. The group also reportedly targeted organizations as far afield as Egypt, Ethiopia, and Afghanistan.

In July 2024, cybersecurity firm Sygnia disclosed that one of its clients had been compromised by Salt Typhoon in 2023, when the hackers breached a business partner's network. During their investigation, Sygnia identified that several servers and workstations had been infiltrated, with the attackers deploying communication tools linked to command-and-control (C2) servers. One of the tools was identified as a variant of the Demodex rootkit.

The revelation of Salt Typhoon’s hacking campaign comes after the US authorities disrupted a 260,000-device botnet called ‘Raptor Train,’ which was operated by another Beijing-linked hacker group, Flax Typhoon.


Back to the list

Latest Posts

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

Hackers hijack high-level accounts and sensitive data of JAXA’s execs

The attackers commandeered roughly 200 accounts, including those of senior officials and members of JAXA’s leadership team.
7 October 2024
Over 100 orgs breached in BabyLockerKZ ransomware attacks

Over 100 orgs breached in BabyLockerKZ ransomware attacks

BabyLockerKZ is an updated variant of the MedusaLocker ransomware.
7 October 2024
Chinese hackers reportedly compromise US court wiretap systems

Chinese hackers reportedly compromise US court wiretap systems

The attack targeted major US telecom companies including Verizon, AT&T, and Lumen Technologies.
7 October 2024