A “handful” of as yet unspecified U.S. internet service providers (ISPs) were reportedly targeted by a new group linked to the Chinese government and tracked by Microsoft as Salt Typhoon.
The Wall Street Journal reported Sep. 25 that the advanced persistent threat (APT) group’s aim was to conduct espionage and use U.S. cable and broadband providers as a launchpad for future attacks.
“The Salt Typhoon attacks on U.S. ISPs highlight China's ongoing efforts to infiltrate critical infrastructure and establish persistent access for espionage and potential future disruption,” said Guy Rosenthal, vice president of product at DoControl.
Rosenthal said the targeting of ISPs by China was a strategic move: it offers them a vantage point to monitor traffic, gather intelligence, and potentially launch broader attacks. Rosenthal said from this position, attackers could collect a wealth of information to use in subsequent attacks. They could monitor communication patterns, identify high-value targets, and gather data for more sophisticated social-engineering campaigns.
“For instance, they might be able to intercept unencrypted data, track user behaviors, or even manipulate traffic in subtle ways,” said Rosenthal. “As for tactics, techniques and procedures, we know this group has previously exploited unpatched Microsoft Exchange vulnerabilities. This underscores the critical importance of timely patching, especially for internet-facing systems. But beyond that, APT groups like Salt Typhoon often use a combination of social engineering, credential theft, and living-off-the-land techniques to move laterally and maintain persistence once they gain initial access.”
Salt Typhoon, aka APT41, has a history of targeting critical infrastructure and government organizations, said Sarah Jones, cyber threat intelligence research analyst at Critical Start.
Historically, the group has gained initial access to systems by exploiting vulnerabilities in various software applications and gathering victim identity information, Jones continued. APT41 has exploited vulnerabilities in software such as Zoho ManageEngine Desktop Central, Citrix Application Delivery Controllers (ADC), and Log4j. APT41 has also gained access to databases containing information about existing accounts, passwords, and employee lists to support their initial access efforts.
“While there’s currently no confirmed evidence of which U.S. ISPs have been impacted by this attack, the potential consequences of such a breach are severe,” said Jones. “Such a breach could lead to widespread internet outages, disrupting businesses, education, healthcare, and other vital sectors. Compromised ISPs could disrupt phone, email, and other communication services. And, ISPs store vast amounts of personal data, making them prime targets for data breaches and privacy violations. This exposed data could be used for identity theft, fraud, and other malicious activities.”
Jones also pointed out that ISPs often connect to critical infrastructure, such as power grids, transportation systems, and financial institutions. Jones said compromised ISPs could serve as a gateway to attack and disrupt these essential services, leading to severe economic consequences and national security risks.
China’s policy of conducting industrial espionage against the United States has been a stated goal for several years, and numerous government agencies have pointed this out, especially this year as war rages in the Middle East and Ukraine and the United States is distracted by the Presidential election.
FBI Director Christopher Wray warned in April that the Chinese had plans to attack critical infrastructure in the United States. The FBI sent out a joint advisory to the same effect with the National Security Agency and the Cybersecurity and Infrastructure Security Agency in February.
