Expansion of Chinese hacking group Salt Typhoon sparks global security alert

In a joint cybersecurity advisory, intelligence agencies from more than a dozen countries, including the US, UK, Canada, Australia, New Zealand, Finland, Germany, Italy, Czech Republic, Japan, Poland, Spain, and the Netherlands, have raised the alarm about a hacker group known as Salt Typhoon.

This Chinese hacker group, confirmed by Dutch intelligence to have infiltrated routers at smaller internet and hosting providers in the Netherlands, has been active in the US, UK, Canada, Australia, and New Zealand, in addition to its home country.

Salt Typhoon has gained notoriety for breaching major US telecom and internet service providers (ISPs), including AT&T, Verizon, T-Mobile, Lumen Technologies, Charter, Consolidated, and Windstream Communications. The group has also targeted flaws in Ivanti Connect Secure and Ivanti Policy Secure; Palo Alto Networks PAN-OS GlobalProtect; and Cisco IOS and IOS XE.

The group's activities have resulted in the theft of sensitive data such as passwords, user content, customer records, inventories, device configurations, files, vendor lists, router interfaces, in-transit network traffic, RSVP sessions, BGP routes, authentication protocols, and RADIUS. This stolen data can provide Chinese intelligence services the capability to identify and track targets' communications and movements worldwide.

Global threat intelligence agencies advise enterprises to perform extensive monitoring of configuration changes, virtualized containers, network services and tunnels, firmware and software integrity, and logs. They recommend regular review of network devices, routers, logs, and configurations for "unexpected, unapproved, or unusual activity."

Organizations are also advised to employ a robust change management process, disable outbound connections from management interfaces, change all default administrative credentials, require public-key authentication for administrative roles, disable password authentication, use the vendor-recommended version of the network device operating system, and keep it updated.

Beauceron's Shipley stated that the continued attacks of this magnitude from Salt Typhoon and others come down to a lack of incentives for major networking company technology providers to create more robust authentication mechanisms and resiliency. He noted that the internet and corporate networks still behave like we're in the 1990s, and it's not behaving like the vital digital nervous system to the global economy and society.

Dutch intelligence authorities have shared threat intelligence with affected companies and "other relevant audiences." However, the Dutch organizations targeted by Salt Typhoon did not receive the same level of attention from the hackers as those in the US, and Salt Typhoon does not seem to have penetrated further into the targeted companies' networks after accessing their routers.

Salt Typhoon has been linked to multiple Chinese entities, including those that support the People's Liberation Army (PLA) and China's Ministry of State Security (MSS). The group has had considerable success with exploiting known vulnerabilities (n-days) rather than relying on bespoke malware or zero-day vulnerabilities.

Notably, Salt Typhoon hacked the US National Guard for 9 months, accessing networks in every state, stealing credentials, personal data, and network diagrams. The ongoing security issues have been described as the "climate change of tech," a problem too many still don't value solving, and something that requires the kind of consensus for action that's almost impossibly elusive.

Shipley further stated that the cost to build a more secure digital economy is a bill that enterprises simply aren't prepared to pay, "until it's too late." He warned that the internet and corporate networks still behave like we're in the 1990s, and it's not behaving like the vital digital nervous system to the global economy and society. The ongoing Salt Typhoon attacks underscore the urgent need for a more secure digital infrastructure.

Expansion of Chinese hacking group Salt Typhoon sparks global security alert