Chinese state-sponsored hackers have been found to have gained access to multiple US internet service providers (ISPs) to establish persistence and carry out cyber espionage activities.
The Chinese APT group, Salt Typhoon, infiltrated these services in recent months in “pursuit of sensitive information,” according to a WSJ report.
“Investigators are exploring whether the intruders gained access to Cisco Systems routers, core network components that route much of the traffic on the internet,” WSJ reported, citing people familiar with the matter. A Cisco spokesperson reportedly said “no Cisco Routers were involved” in the Salt Typhoon activity.
The threat actor, which Microsoft also tracks as GhostEmperor and FamousSparrow, is known to have exploited unpatched Microsoft Exchange Server vulnerabilities in 2021 to gain initial access into networks.
Infecting ISPs through zero-days
It has become quite commonplace for hackers linked with the Chinese government to attempt cyber espionage on US soil. These hackers exploit vulnerabilities in network devices and use sophisticated techniques to breach security.
Previously, Black Lotus Labs observed that China’s Volt Typhoon was observed was exploiting a zero-day vulnerability in Versa Director, a software platform for managing SD-WAN infrastructure used by ISPs and managed service providers (MSPs).
In February, the FBI issued an advisory against Volt typhoon’s threat activities, listing out the tactics, techniques, and procedures (TTPs) used by the group. “The US authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations — primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors — in the continental and non-continental United States and its territories, including Guam,” the advisory said.
In a December 2023 operation, the FBI disrupted a fraction of the Volt Typhoon operations by pulling down a botnet of hundreds of US based small-office or home-office (SOHO) routers.
To obtain initial access, Volt Typhoon actors commonly exploit vulnerabilities in networking appliances such as those from Fortinet, Ivanti Connect Secure (formerly Pulse Secure), NETGEAR, Citrix, and Cisco. Salt Typhoon, along with another China-linked APT Flax Typhoon, likely employs similar techniques for early infections.
Salt Typhoon’s activities are part of a larger pattern of Chinese cyber operations aimed at embedding within the infrastructure of foreign nations, with a focus on espionage and potential disruption. These types of attacks on ISPs are particularly dangerous because they can compromise sensitive communications, provide a foundation for future cyberattacks, and disrupt national security.