Lessons Learned From The Salt Typhoon Hacks

Uploaded on 2025-02-04 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

Over the past few months, the Salt Typhoon hacks have taken the US by storm, as Chinese hackers were able to access the private communications of numerous high-profile figures by breaching US telecommunications companies’ cybersecurity systems. It is important to note these did not appear unexpectedly, with the first hacks traced back to 2022.

So how were the hackers able to stay undetected for so long, and what can be done to prevent this sort of thing happening in the future?

A Global Problem

While the Salt Typhoon hacks targeted the US telecommunications industry, including the US Treasury Department, this is a global problem that could have affected anyone, and will in the future. Any organisation, especially critical infrastructure, is vulnerable to cyberattacks. It is not a matter of ‘if’ but ‘when’, and organisations need to take cybersecurity more seriously to protect themselves.
 
While the US sanctions imposed on the Chinese company behind the attacks may stop some similar hacks from happening, it is an unfortunate reality that cyberattacks are happening every day, and businesses must protect their networks from threats. That includes businesses of all sizes, but is especially pertinent to critical infrastructure organisations, who hold swathes of private information from a broad spectrum of individuals. While the public may not be privy to the cybersecurity measures that specific companies had implemented, industry trends indicate that not enough was done beforehand to stop an attack - with at least nine different companies known to have been compromised by an attack.

A Proactive Approach

A cybersecurity strategy that relies on detection is not enough. The approach of waiting for something bad to happen and detecting it is outdated and doesn’t adequately protect organisations from an ever-changing threat landscape, where hackers are using increasingly novel methods to hack systems and the barrier to entry is lower, as technology makes it easier than ever for people with no coding experience to become cybercriminals. While that may sound quite bleak, by using a more proactive approach - knowing every single application running in your environment and having the ability to control what each of them can do - it becomes significantly harder for threat actors to cause damage to your organisation.

The Salt Typhoon hacks took nearly three years to detect, which is an issue. By adopting Zero Trust, which is central to ThreatLockers approach, businesses are in a better position to stop these attacks from happening in the first place, rather than relying on detection - a tactic that is clearly not working. 
 
There were several threat actors that fell under the family name of Typhoon, including Volt Typhoon, which focused on persistence and stealth, and targeted critical infrastructure, and Flax Typhoon, which focused on attack infrastructure and built botnets from compromised Internet of Things (IoT) devices. Hackers by nature are creative, and it is impossible to try and be aware of all the different methods they use to gain access to data as it is constantly changing, so it is clear a different approach is needed.

Zero Trust Is The Only Effective Solution

With that in mind, businesses, government agencies and any organisation that may be targeted by a cyberattack, need to rethink their strategies. The status quo is no longer enough. By adopting strict Zero Trust - or default-deny - controls, organizations significantly harden their environments. This will help in both stopping breaches and discovering breaches. Many companies do not know what is running in their environment until something catastrophic happens. No business can afford to take those risks - especially critical infrastructure companies who are handling gargantuan amounts of customer data.

The Salt Typhoon hacking group has been utilising several backdoors in order to gain access to the telecommunication service providers they targeted. One of those is a new ‘GhostSpider’ backdoor, but they’ve also used previously documented strategies such as the Linux backdoor ‘Masol RAT’, a rootkit called ‘Demodex’ and ‘SnappyBee’, a modular backdoor that has been widely shared amongst Chinese Advanced Persistent Threat (APT) groups. ThreatLockers Zero Trust defences would have blocked these by default, so these businesses that were targeted wouldn’t have ever been exposed to these attacks, let alone for a prolonged period.

 Conclusion

Relying on detection is not enough. It is vital to understand that these attacks happened over a number of years before they were discovered and eliminated.

Rather than detecting attacks years after hackers have breached an organisation, after exposing their data over prolonged periods of time, businesses need to be on the front foot and stopping these attacks at the source.
 
Zero Trust is the only way businesses can take a grasp of their environment and run strict controls over what each of their applications is allowed to access. Control the controllables - while it might be impossible to eradicate all threats and achieve a totally secure environment, by taking a Zero Trust approach you minimise the risk to your business - and your customers.

Danny Jenkins is CEO & Co-Founder at ThreatLocker

Image: design master

You Might Also Read: 

The Impact Of Geopolitical Dynamics On The Evolving Cybersecurity Landscape:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« New Laws To Prevent Using AI To Generate Sexual Images
New Study From Gen Reveals Over 600% Rise in 'Scam-Yourself' Attacks »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Riverbed Technology

Riverbed Technology

The Riverbed Network and Application Performance Platform enables organizations to visualize, optimize, accelerate and remediate the performance of any network for any application.

Cysec Resource Co (CRC)

Cysec Resource Co (CRC)

We offer expertise in information and cyber security, sourcing individuals and teams who provide information security expertise to the public and private sector.

France Cybersecurity

France Cybersecurity

France Cybersecurity represents the French cybersecurity industry to raise international awareness of French cybersecurity capabilities and solutions.

CSIS Security Group

CSIS Security Group

CSIS provide actionable threat intelligence, prevention, incident response and 24/7 managed security services.

AllClear ID

AllClear ID

AllClear ID provides products and services that help protect people and their personal information from threats related to identity theft.

Aviva

Aviva

Aviva provides Cyber Liability cover for small to mid-market customers to help combat the threat of data and privacy breach.

Lineal Services

Lineal Services

Lineal supports clients in meeting their digital forensics, cyber security and eDiscovery needs by providing bespoke solutions to complex problems.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.

ThriveDX

ThriveDX

ThriveDX, the world’s premier EdTech provider (formerly HackerU), champions digital transformation training as a means of empowering individuals to thrive in the age of digital disruption.

DNX Ventures

DNX Ventures

Based in Silicon Valley and Tokyo, DNX Ventures is an early stage VC for B2B startups in sectors including Cybersecurity.

Brennan IT

Brennan IT

For over 25 years, Brennan’s expert team has helped businesses achieve real success through innovative and secure technology solutions.

Theos Cyber Solutions

Theos Cyber Solutions

Theos Cyber provides service-first cybersecurity solutions to digital businesses in Asia.

CentriVault

CentriVault

CentriVault is a leading independent provider of Cyber Security and Data protection services to small and medium enterprises (SMEs).

Ofcom

Ofcom

Ofcom is the UK's communications regulator. We regulate the TV, radio and video on demand sectors, fixed line telecoms, mobiles, postal services, plus the airwaves over which wireless devices operate.

DeltaSpike

DeltaSpike

DeltaSpike empowers individuals and organizations worldwide through its comprehensive cybersecurity solutions.

CodeShield

CodeShield

CodeShield is a SaaS that helps software developers and security teams secure IAM in the public cloud. With us, you detect IAM privilege escalations easily and achieve least privilege.