China’s Salt Typhoon hackers target telecom firms in Southeast Asia with new malware

Avatar

The Chinese state-sponsored hacker group known as Salt Typhoon has been targeting telecommunications companies in Southeast Asia with a previously unseen backdoor, according to researchers.

Salt Typhoon has been in the spotlight recently following a China-linked espionage campaign that compromised the networks of multiple U.S. telecom firms including Verizon, AT&T, Lumen Technologies and T-Mobile. The attackers reportedly accessed customer call record data, particularly targeting individuals involved in government or political activities.

In a report published Monday, cybersecurity firm Trend Micro detailed another campaign it attributed to Earth Estrie — the name they use to refer to Salt Typhoon — targeting the Southeast Asian telecom industry with a new backdoor called GhostSpider. The researchers noted that they weren’t able to directly link the campaign to the group’s recent attacks on U.S. telecom firms.

“Earth Estrie is a well-organized group with a clear division of labor,” Trend Micro stated in its report. “We speculate that attacks targeting different regions and industries are launched by distinct actors.”

Additionally, the infrastructure used in the attack suggests the group consists of various teams, “further highlighting the complexity of the group’s operations,” the researchers added.

Salt Typhoon has successfully compromised over 20 organizations across various sectors, including telecom, technology, consulting, chemical and transportation industries in the U.S., Asia-Pacific, the Middle East and South Africa since 2023.

During a long-term espionage campaign against unnamed Southeast Asian telecom companies, the group deployed GhostSpider malware — a sophisticated, flexible, and adaptable multi-modular backdoor.

GhostSpider’s modular design allows attackers to deploy or update different modules independently based on their needs, according to Trend Micro. This approach complicates detection and analysis, making it difficult for researchers to fully understand the malware’s functionality.

In addition to targeting the telecom industry, Salt Typhoon has also attacked state entities in Southeast Asia since August of this year. The hackers compromised Linux devices using the Masol remote access trojan, which has been in use since 2019 but has evolved over the years to target different operating systems.

According to Trend Micro, most of the victims in this campaign have been compromised for several years. “We believe that in the early stages, the attackers successfully obtained credentials and controlled target machines through web vulnerabilities,” researchers explained.

To gain initial access to victims’ devices, the group typically exploits flaws in public-facing servers. They then use legitimate tools or commands already present in the target system to move laterally within the network and deploy malware for long-term espionage.

Trend Micro described Salt Typhoon as “one of the most aggressive Chinese state hacker groups.”

Salt Typhoon’s campaign against the U.S. differed from that of another Chinese hacker group, Volt Typhoon, which recently embedded itself in critical infrastructure in ways that could potentially enable destructive actions.

However, Trend Micro noted that Salt Typhoon may share tools with other Chinese state-sponsored hackers, as their techniques and malware often overlap.

CybercrimeChinaGovernmentNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

New York fines Geico, Travelers $11 million for exposed driver’s license numbers

Next Post

Intruder Launches Intel: A Free Vulnerability Intelligence Platform For Staying Ahead of the Latest Threats

Related Posts

Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices

The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal. "At least 80% of NSOCKS bots in our telemetry originate from the Ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices," the Black Lotus Labs team at
Avatar
Read More