The Salt Typhoon Telecom Breach: When Network Access Becomes National Exposure - #APT40
The Chinese Advanced Persistent Threat (APT) group Salt Typhoon, also known as FamousSparrow, GhostEmperor, Earth Estries, and UNC2286, has been conducting sophisticated cyberespionage campaigns since 2019, targeting critical sectors such as telecommunications and government worldwide. Initially thought to be dormant since 2022, the group resurfaced with enhanced capabilities, including upgraded versions of their SparrowDoor backdoor and the incorporation of the ShadowPad malware. Salt Typhoon exploits vulnerabilities in Microsoft Exchange and Windows Server systems, utilizing a combination of custom and publicly available tools for initial access, lateral movement, and data exfiltration. Their recent activities, discovered by ESET researchers, involved compromising entities in the U.S. financial sector, a Mexican research institute, and a Honduran government institution. To combat these threats, cybersecurity firms like AttackIQ have developed assessment templates that emulate Salt Typhoon's tactics, helping organizations validate and improve their security controls against such sophisticated APT activities.