Not Simon 🐐

Country: People's Republic of China Organization(s): Sichuan Juxinhe Network Technology Co., LTD. (Sichuan Juxinhe) Objective: Espionage (Page Last Updated: January 17, 2025)

Aliases:

• Earth Estries (Trend Micro)
• FamousSparrow (ESET, Fortinet)
• GhostEmperor (Kaspersky, Malpedia, Rapid7)
• Liminal Panda (CrowdStrike)
• Salt Typhoon Microsoft)
• UNC2286 (Mandiant)

Links to other groups

• DRBControl (PDF, Source: ESET)
• SparklingGoblin (subset of “Winnti” Source: ESET)
• Tropic Trooper (Source: Kaspersky)
  • Tropic Trooper (ETDA, Kaspersky, MITRE, Unit 42)
  • KeyBoy (Citizen Lab, Rapid7, formerly used by PwC)
  • Pirate Panda (Anomali, CrowdStrike)
• UNC4841 (Mandiant)

Vulnerabilities Exploited

• ProxyLogon (Sources: ESET, Kaspersky, Sygnia, Trend Micro):
  • CVE-2021-26855 (9.8 critical, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26857 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26858 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-27065 (7.8 high, in CISA's KEV Catalog)
• Source: Trend Micro
  • CVE-2023-46805 (8.2 high, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
  • CVE-2024-21887 (9.1 critical, in CISA's KEV Catalog) Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
  • CVE-2023-48788 (9.8 critical, in CISA's KEV Catalog) Fortinet FortiClient EMS SQL Injection Vulnerability
    
  • CVE-2022-3236 (9.8 critical, in CISA's KEV Catalog) Sophos Firewall Code Injection Vulnerability
• unidentified Microsoft SharePoint and Oracle Opera business software vulnerabilities (Source: ESET)
• CVE-2017-11882 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office Memory Corruption Vulnerability Source: Trend Micro
• CVE-2012-0158 (8.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper, KeyBoy) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Unit 42, Citizen Lab
• CVE-2017-0199 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Citizen Lab
• CVE-2015-1641 (7.8 high, in CISA's KEV Catalog. Note: associated with alias KeyBoy) Microsoft Office Memory Corruption Vulnerability Source: Citizen Lab

References

Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.

Links (Sorted in Chronological Order)

2025

• January 17, 2025:
  • U.S. State Department: U.S. Takes Action Against PRC-Linked Cyber Actors for Treasury Hack and Salt Typhoon
  • U.S. Treasury: Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise (ATTRIBUTION)
• January 13, 2025 – Washington Post: Biden administration looks to penalize Salt Typhoon telecom hackers (news article)
• January 05, 2025 – Wall Street Journal: How Chinese Hackers Graduated From Clumsy Corporate Thieves to Military Weapons (news article)

2024

• December 29, 2024 – Reuters: AT&T, Verizon targeted by Salt Typhoon cyberespionage operation, but networks secure (news article)
• December 04, 2024 – Wall Street Journal: Dozens of Countries Hit in Chinese Telecom Hacking Campaign, Top U.S. Official Says (news article)
• December 03, 2024 – CISA: CISA and Partners Release Joint Guidance on PRC-Affiliated Threat Actor Compromising Networks of Global Telecommunications Providers
• November 27, 2024 – Bloomberg: T-Mobile Engineers Spotted Hackers Running Commands on Routers (news article, archive of paywalled article)
• November 25, 2024 – Trend Micro: Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
• November 20, 2024 – Natto Thoughts: Salt Typhoon: Churning Up a Storm of Consternation
• November 19, 2024 – CrowdStrike: Unveiling LIMINAL PANDA: A Closer Look at China's Cyber Threats to the Telecom Sector
• November 15, 2024 – Wall Street Journal: T-Mobile Hacked in Massive Chinese Breach of Telecom Networks (news article)
• November 07, 2024 – Trend Micro: Breaking Down Earth Estries' Persistent TTPs in Prolonged Cyber Operations
• October 25, 2024 – Wall Street Journal: Chinese Hackers Targeted Phones of Trump, Vance, and Harris Campaign (news article)
• October 25, 2024 – CISA: Joint Statement by FBI and CISA on PRC Activity Targeting Telecommunications (not explicitly mentioned)
• October 11, 2024 – Washington Post: White House forms emergency team to deal with China espionage hack (news article)
• October 04, 2024 – Wall Street Journal: U.S. Wiretap Systems Targeted in China-Linked Hack (news article)
• September 25, 2024 – Wall Street Journal: China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack (news article)
• September 05, 2024 – Kaspersky: Tropic Trooper spies on government entities in the Middle East
• July 17, 2024 – Sygnia: The Return of Ghost Emperor's Demodex

2023

• August 30, 2023 – Trend Micro: Earth Estries Targets Government, Tech for Cyberespionage

2022

• February 28, 2022 – NCSC-UK: Malware Analysis Report: SparrowDoor (PDF)

2021

• December 14, 2021 – Trend Micro: Collecting In the Dark: Tropic Trooper Targets Transportation and Government (archive of dead link)
• October 19, 2021 – CrowdStrike: LIMINAL PANDA: A Roaming Threat to Telecommunications Companies
• September 30, 2021 – Kaspersky: GhostEmperor: From ProxyLogon to kernel mode
• September 23, 2021 – ESET: FamousSparrow: A suspicious hotel guest

2020

• May 12, 2020 – Trend Micro: Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments (archive of dead link)
• April 30, 2020 – Anomali: Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center

2018

• August 08, 2018 – Citizen Lab: Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces
• March 14, 2018 – Trend Micro: Tropic Trooper’s New Strategy

2017

• November 16, 2017 – Lookout: Tropic Trooper Goes Mobile With Titan Surveillanceware
• February 11, 2017 – PwC: The KeyBoys are back in town (archive of dead link)

2016

• November 22, 2016 – Unit 42: Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
• November 17, 2016 – Citizen Lab: It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community

2015

• May 14, 2015 – Trend Micro: Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers (PDF)

2013

• June 13, 2013 – Cisco: Scope of 'KeyBoy' Targeted Malware Attacks
• June 07, 2013 – Rapid7: KeyBoy, Targeted Attacks against Vietnam and India (archive of dead link)

Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat