Chinese APT Group Infiltrates US ISPs In Attack Campaign
As per recent media reports, a Chinese APT group has been observed targeting multiple United States (US) Internet Service Providers (ISPs) as part of an attack campaign. The primary aim of such attacks is to acquire sensitive information. In this article, we’ll dive into the details of the ISP cyber intrusions and uncover which organizaitons were targeted. Let’s begin!
The Chinese APT Group Identified
The malicious activities of the Chinese APT group were tracked by Microsoft. As a result of this initiative, Salt Typhoon, also known as FamousSparrow and GhostEmperor, is believed to be the threat actor behind the attack campaign.
Providing insights pertaining to the matter, The Wall Street Journal had cited people familiar with the matter and stated that:
“Investigators are exploring whether the intruders gained access to Cisco Systems routers, core network components that route much of the traffic on the internet.”
The primary objective of the attack campaign launched by the Chinese APT group is to develop a persistent presence on the targeted network. Such a presence, if developed, can facilitate the Chinese APT group in acquiring sensitive information and launching attacks.
GhostEmperor Hacking Group Inception
Origins of GhostEmperor can be traced back to October 2021. During the post-COVID era, this threat actor group first came to light when Kaspersky, a Russian cybersecurity company, provided a detailed report pertaining to the deployment of a rootkit called “Demodex.”
Targets of the attack campaign, based on which the report was published, were high profile entities in multiple countries that included:
- Egypt.
- Ethiopia.
- Vietnam.
- Thailand.
- Malaysia.
- Indonesia.
- Afghanistan
Demodex Rootkit Attacks
Online threats today are now more advanced than ever before. Targeted victims that fall prey to these attacks, orchestrated by hackers, are likely to experience information theft, monetary and reputational damage, and regulatory complexities.
Those who want to lower risk exposure and improve security posture must develop an in-depth comprehension of such attacks, as it can help overcome security challenges and aid in mitigation efforts.
That said, reports of activity pertaining to the Demodex rootkit, known to have been used by the Chinese APT group, prevailed in July 2024. Providing insights about these attacks, Sygnia, a cyber technology and services company, has stated that:
“During the investigation, several servers, workstations, and users were found to be compromised by a threat actor who deployed various tools to communicate with a set of servers. One of these tools was identified as a variant of Demodex.”
It’s worth mentioning that the US government has also recently mentioned that it identified a 260,000-device botnet called Raptor Train controlled by another Chinese threat actor named Flax Typhoon. The 260,000-device botnet is the latest addition to Chinese state-sponsored activities targeting telecom, ISPs, and other critical sectors.
Conclusion
Salt Typhoon, also known as GhostEmperor, has launched a sophisticated cyber espionage campaign targeting US ISPs. Its use of advanced tools like the Demodex rootkit places paramount emphasis on the growing cyber threats from nation-state actors and dictates the implementation of sophisticated protection mechanisms that ensure online safety.
The sources for this piece include articles in The Hacker News and Security Affairs.