China's Salt Typhoon Cyber Spies Are Deep Inside US ISPs

Updated Another Beijing-linked cyberspy crew, this one dubbed Salt Typhoon, has reportedly been spotted on networks belonging to US internet service providers in stealthy data-stealing missions and potential preparation for future cyberattacks.

The Wall Street Journal on Wednesday reported the breaches, citing "people familiar with the matter." The newspaper didn't name the compromised ISPs, but said "a handful" had been broken into by this new Chinese group that investigators are calling Salt Typhoon.

While the US Cybersecurity and Infrastructure Security Agency did not immediately respond to The Register's inquiries about Salt Typhoon and the alleged ISP break-ins, the news follows a series of similar network intrusions that the Feds and private researchers have tied to Chinese government snoops.

A week ago, FBI Director Christopher Wray revealed his agency and international law enforcement disrupted a 260,000-device botnet controlled by a different Beijing-linked goon squad: Flax Typhoon.

This group had been building the Mirai-based botnet since 2021, and most recently targeting US critical infrastructure, government, and academics, according to Wray. 

Typhoon season hits

In a related security advisory, government agencies accused the Flax Typhoon crew of amassing a SQL database containing details of 1.2 million records on compromised and hijacked devices that they had either previously used or were currently using for the botnet.

As recently as August, another Typhoon gang — Volt Typhoon — was accused of hiding in American networks after exploiting a high-severity bug in Versa's SD-WAN software.

Back in February, the US government confirmed that this same Chinese crew comprised "multiple" US critical infrastructure orgs' IT networks in America in preparation for "disruptive or destructive cyberattacks" against those targets.

Also last week, Binary Defense revealed details of how it uncovered Chinese state-sponsored spies inside a global engineering firm's network where they had been snooping around for four months.

The infosec shop's Director of Security Research John Dwyer spoke exclusively to The Register about the intrusion, which he said has been attributed to an unnamed People's Republic of China team, whose motivation appeared to be espionage and blueprint theft. 

"I can't really comment on the connection between the incidents, but I can say that given the uptick in Chinese-linked attacks against critical infrastructure supply chains, ISPs, and core internet devices there is a clear strategy at play where attackers are aiming to identity and exploit logical choke points in our society to take control of the flow of information and supplies," he told The Register today when asked about a possible Salt Typhoon connection.

Terry Dunlap, a former US National Security Agency offensive analyst, told The Register that while he doesn't have direct knowledge of the most recent cyber intrusion, "it makes sense for US adversaries to target ISPs due to the large volume and variety of comms moving in and out of ISPs."

"Supply chain infiltration by our adversaries has been a problem I've seen since 2010, specifically with Chinese security cameras and other embedded IoT devices," added Dunlap, chief security strategist at IoT security company NetRise.

And, he noted, it should have been spotted earlier. "Why did it take so long for people to discover this? I've known this type of behavior has been happening for years. Why is the US just now waking up to this long established trend in adversarial TTPs?" Those being tactics, techniques, and procedures.

The Salt Typhoon report "is another example of our adversaries embedding themselves deep within the US infrastructure," Dunlap said. "I believe this is another component of China's 100-Year Strategy."®

Updated to add at 0210 UTC, September 26

CISA Executive Assistant Director for Cybersecurity Jeff Greene told us the agency is aware of the report of the compromised ISPs, and said that China is known to be infiltrating all manner of critical targets.

"CISA and our partners continue to emphasize the risk posed by PRC state-sponsored cyber actors, who have compromised the IT environments across multiple critical infrastructure sectors and organizations," he said in a statement.

"We encourage all organizations to review our latest advisories and guidance, to include our joint Cybersecurity Advisory on identifying and mitigating living off the land techniques, and take action, as appropriate."

RECENT NEWS

From Chip War To Cloud War: The Next Frontier In Global Tech Competition

The global chip war, characterized by intense competition among nations and corporations for supremacy in semiconductor ... Read more

The High Stakes Of Tech Regulation: Security Risks And Market Dynamics

The influence of tech giants in the global economy continues to grow, raising crucial questions about how to balance sec... Read more

The Tyranny Of Instagram Interiors: Why It's Time To Break Free From Algorithm-Driven Aesthetics

Instagram has become a dominant force in shaping interior design trends, offering a seemingly endless stream of inspirat... Read more

The Data Crunch In AI: Strategies For Sustainability

Exploring solutions to the imminent exhaustion of internet data for AI training.As the artificial intelligence (AI) indu... Read more

Google Abandons Four-Year Effort To Remove Cookies From Chrome Browser

After four years of dedicated effort, Google has decided to abandon its plan to remove third-party cookies from its Chro... Read more

LinkedIn Embraces AI And Gamification To Drive User Engagement And Revenue

In an effort to tackle slowing revenue growth and enhance user engagement, LinkedIn is turning to artificial intelligenc... Read more