Salt Typhoon

Background

Salt Typhoon is a PRC-affiliated cyber espionage group that gained widespread public attention in late 2024 when it was revealed to have deeply compromised multiple major U.S. telecommunications providers. The group has been tracked under various names by different security vendors since at least 2019 -- Kaspersky identified the group as GhostEmperor in 2021, ESET tracked related activity as FamousSparrow, and Trend Micro documented operations under the name Earth Estries. Microsoft consolidated these clusters under the Salt Typhoon designation as part of its weather-themed naming convention for Chinese threat actors.

Salt Typhoon is assessed to operate under the auspices of the PRC's Ministry of State Security (MSS), China's primary civilian intelligence agency. The group's targeting profile strongly suggests an intelligence collection mission focused on communications surveillance -- gaining access to the infrastructure that carries phone calls, text messages, and internet traffic for millions of people. This positions them to conduct signals intelligence operations that would traditionally require state-level interception capabilities.

The group exhibits a high degree of technical sophistication, employing kernel-level rootkits, custom backdoors, and zero-day exploits. Unlike Volt Typhoon's living-off-the-land approach, Salt Typhoon deploys an extensive custom toolset designed for deep and persistent access to high-value targets. The group's operations reflect long-term strategic intelligence collection objectives rather than opportunistic or financially motivated campaigns.

Notable Campaigns

U.S. Telecommunications Compromise (2024): In what became one of the most significant cyber espionage disclosures in recent history, Salt Typhoon was revealed to have compromised at least nine major U.S. telecommunications companies including AT&T, Verizon, T-Mobile, and Lumen Technologies. The actors gained access to call detail records for millions of Americans and, in a smaller number of cases, intercepted actual call and text content. Critically, the group also accessed systems used to process court-authorized wiretap requests under CALEA (Communications Assistance for Law Enforcement Act), potentially revealing which individuals were under U.S. government surveillance.

GhostEmperor ProxyLogon Exploitation (2021): Kaspersky documented Salt Typhoon (as GhostEmperor) exploiting Microsoft Exchange ProxyLogon vulnerabilities (CVE-2021-26855 and related CVEs) to deploy the Demodex kernel-mode rootkit. Targets included government entities and telecommunications companies in Southeast Asia, Central Asia, and the Middle East. The Demodex rootkit operated at the kernel level, making it invisible to most security tools.

FamousSparrow Hotel and Government Targeting (2019-2021): ESET tracked the group targeting hotels, governments, and international organizations worldwide. The campaign exploited public-facing web applications, including SharePoint (CVE-2019-0604) and the ProxyLogon Exchange vulnerabilities, to deploy the SparrowDoor backdoor. Victims included a governmental institution in the Middle East, hotels in multiple countries, and an international organization in Canada.

Earth Estries Government and Technology Espionage (2023): Trend Micro documented campaigns targeting government agencies and technology companies in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the United States. The group deployed multiple custom backdoors including Zingdoor, HemiGate, and CrowDoor, using DLL sideloading and novel persistence mechanisms.

Tactics, Techniques & Procedures

Salt Typhoon typically gains initial access by exploiting vulnerabilities in public-facing applications, with a particular focus on Microsoft Exchange servers, Cisco networking equipment, and other edge infrastructure. The group was among the fastest adopters of the ProxyLogon and ProxyShell Exchange vulnerabilities and has demonstrated the ability to exploit zero-day vulnerabilities in network equipment used by telecommunications providers.

Once inside a network, the group deploys web shells -- frequently variants of China Chopper -- as an initial persistence mechanism. From there, Salt Typhoon escalates to deploying custom backdoors and rootkits. The group uses sophisticated DLL sideloading techniques, abusing legitimate signed executables to load malicious payloads and evade application whitelisting controls.

Credential harvesting is a priority, with the group using Mimikatz and custom tools to extract credentials from memory, registry hives, and Active Directory. In telecommunications environments, Salt Typhoon specifically targets systems that manage subscriber data, call routing, and lawful intercept infrastructure, reflecting their intelligence collection mission.

For lateral movement, the group leverages valid credentials combined with SMB, WMI, and PsExec. They move methodically through the network, mapping out high-value systems before deploying persistent implants. In telecommunications provider networks, they specifically seek access to routers, switches, and the infrastructure that handles call detail records and message routing.

Data exfiltration is conducted over encrypted channels, often using the same C2 infrastructure used for command and control. The group has been observed staging data in compressed and encrypted archives before exfiltration, and they use legitimate cloud services and compromised infrastructure as relay points.

Tools & Malware

• Demodex Rootkit -- A sophisticated kernel-mode rootkit that provides persistent, stealthy access to compromised systems. Uses a loading chain that exploits a vulnerable signed driver to load unsigned kernel code, bypassing Driver Signature Enforcement.
• SparrowDoor -- A modular backdoor exclusive to this group, capable of file operations, shell access, process manipulation, and proxy functionality. Later versions added parallel command handling and improved encryption.
• TrillClient -- A custom information stealer designed to harvest browser data, credentials, and specific files of intelligence interest from compromised systems.
• HemiGate -- A multi-instance backdoor that supports file management, shell access, keylogging, and screen capture. Uses different instances for different functions to compartmentalize operations.
• Zingdoor -- An HTTP-based backdoor written in Go, designed for cross-platform compatibility. Supports command execution, file transfer, and data compression using custom algorithms.
• CrowDoor -- A stealthy backdoor focused on anti-detection, using legitimate cloud services for C2 communications to blend in with normal traffic.
• GhostRAT (Gh0st RAT variant) -- A customized version of the widely shared Chinese RAT, modified with enhanced encryption and communication protocols.
• China Chopper -- Lightweight web shell used for initial access persistence on compromised web servers.
• Cobalt Strike -- Commercial penetration testing framework, used with customized loaders to avoid detection.
• Mimikatz -- Open-source credential harvesting tool used extensively for privilege escalation and lateral movement.

Indicators & Detection

Network Infrastructure Monitoring: Telecommunications providers and ISPs should implement comprehensive monitoring of their management plane infrastructure. Look for unauthorized configuration changes on routers and switches, unexpected tunnels or GRE sessions, and anomalous access to lawful intercept and call detail record systems.

Exchange and Edge Device Hardening: Given Salt Typhoon's repeated exploitation of Exchange servers and network appliances, organizations must prioritize patching these systems. Monitor for web shell deployment, unexpected IIS worker process behavior, and suspicious DLL loading in Exchange-related directories.

Kernel Integrity Monitoring: The Demodex rootkit highlights the need for kernel-level integrity monitoring. Deploy solutions that can detect unsigned kernel drivers, unexpected kernel modules, and the use of known vulnerable drivers for bring-your-own-vulnerable-driver (BYOVD) attacks.

DLL Sideloading Detection: Monitor for legitimate signed executables loading DLLs from unexpected locations. Track DLL load events and alert when known-sideloadable executables launch from temporary directories or user-writable paths.

Encrypted Traffic Analysis: While content inspection of encrypted traffic is not always feasible, metadata analysis can reveal anomalies. Monitor for unusual certificate chains, unexpected TLS connections from server infrastructure, connections to known compromised infrastructure, and JA3/JA3S fingerprint anomalies.

Privileged Access Monitoring: Implement strict monitoring of accounts with access to telecommunications infrastructure management systems, subscriber databases, and lawful intercept platforms. Any access outside of established change windows or from unexpected source addresses should trigger immediate investigation.