Salt Typhoon
Country: People's Republic of China Organization: N/A Objective: Espionage (Page Last Updated: October 26, 2024)
Aliases:
- Earth Estries (Trend Micro)
- FamousSparrow (ESET, Fortinet)
- GhostEmperor (Kaspersky, Malpedia, Rapid7)
- Salt Typhoon Microsoft)
- UNC2286 (Mandiant)
Links to other groups
- DRBControl (PDF, Source: ESET)
- SparklingGoblin (subset of βWinntiβ Source: ESET)
- Tropic Trooper (Source: Kaspersky)
- UNC4841 (Mandiant)
Vulnerabilities Exploited
- ProxyLogon (Sources: ESET, Kaspersky, Sygnia):
- CVE-2021-26855 (9.8 critical, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-26857 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-26858 (7.8 high, in CISA's KEV Catalog) Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-27065 (7.8 high, in CISA's KEV Catalog)
- unidentified Microsoft SharePoint and Oracle Opera business software vulnerabilities (Source: ESET)
- CVE-2017-11882 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office Memory Corruption Vulnerability Source: Trend Micro
- CVE-2012-0158 (8.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper, KeyBoy) Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability Sources: Unit 42, Citizen Lab
- CVE-2017-0199 (7.8 high, in CISA's KEV Catalog. Note: associated with alias Tropic Trooper) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Citizen Lab
- CVE-2015-1641 (7.8 high, in CISA's KEV Catalog. Note: associated with alias KeyBoy) Microsoft Office Memory Corruption Vulnerability Source: Citizen Lab
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
- October 25, 2024 β Wall Street Journal: Chinese Hackers Targeted Phones of Trump, Vance, and Harris Campaign (news article)
- October 25, 2024 β CISA: Joint Statement by FBI and CISA on PRC Activity Targeting Telecommunications (not explicitly mentioned)
- October 11, 2024 β Washington Post: White House forms emergency team to deal with China espionage hack (news article)
- October 04, 2024 β Wall Street Journal: U.S. Wiretap Systems Targeted in China-Linked Hack (news article)
- September 25, 2024 β Wall Street Journal: China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack (news article)
- September 05, 2024 β Kaspersky: Tropic Trooper spies on government entities in the Middle East
- July 17, 2024 β Sygnia: The Return of Ghost Emperor's Demodex
2023
- August 30, 2023 β Trend Micro: Earth Estries Targets Government, Tech for Cyberespionage
2022
- February 28, 2022 β NCSC-UK: Malware Analysis Report: SparrowDoor (PDF)
2021
- December 14, 2021 β Trend Micro: Collecting In the Dark: Tropic Trooper Targets Transportation and Government (archive of dead link)
- September 30, 2021 β Kaspersky: GhostEmperor: From ProxyLogon to kernel mode
- September 23, 2021 β ESET: FamousSparrow: A suspicious hotel guest
2020
- May 12, 2020 β Trend Micro: Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments (archive of dead link)
- April 30, 2020 β Anomali: Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center
2018
- August 08, 2018 β Citizen Lab: Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces
- March 14, 2018 β Trend Micro: Tropic Trooperβs New Strategy
2017
- November 16, 2017 β Lookout: Tropic Trooper Goes Mobile With Titan Surveillanceware
- February 11, 2017 β PwC: The KeyBoys are back in town (archive of dead link)
2016
- November 22, 2016 β Unit 42: Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy
- November 17, 2016 β Citizen Lab: Itβs Parliamentary: KeyBoy and the targeting of the Tibetan Community
2015
- May 14, 2015 β Trend Micro: Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers (PDF)
2013
- June 13, 2013 β Cisco: Scope of 'KeyBoy' Targeted Malware Attacks
- June 07, 2013 β Rapid7: KeyBoy, Targeted Attacks against Vietnam and India (archive of dead link)
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat