Lessons Learned From The Salt Typhoon Hacks

Uploaded on 2025-02-04 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

Over the past few months, the Salt Typhoon hacks have taken the US by storm, as Chinese hackers were able to access the private communications of numerous high-profile figures by breaching US telecommunications companies’ cybersecurity systems. It is important to note these did not appear unexpectedly, with the first hacks traced back to 2022.

So how were the hackers able to stay undetected for so long, and what can be done to prevent this sort of thing happening in the future?

A Global Problem

While the Salt Typhoon hacks targeted the US telecommunications industry, including the US Treasury Department, this is a global problem that could have affected anyone, and will in the future. Any organisation, especially critical infrastructure, is vulnerable to cyberattacks. It is not a matter of ‘if’ but ‘when’, and organisations need to take cybersecurity more seriously to protect themselves.
 
While the US sanctions imposed on the Chinese company behind the attacks may stop some similar hacks from happening, it is an unfortunate reality that cyberattacks are happening every day, and businesses must protect their networks from threats. That includes businesses of all sizes, but is especially pertinent to critical infrastructure organisations, who hold swathes of private information from a broad spectrum of individuals. While the public may not be privy to the cybersecurity measures that specific companies had implemented, industry trends indicate that not enough was done beforehand to stop an attack - with at least nine different companies known to have been compromised by an attack.

A Proactive Approach

A cybersecurity strategy that relies on detection is not enough. The approach of waiting for something bad to happen and detecting it is outdated and doesn’t adequately protect organisations from an ever-changing threat landscape, where hackers are using increasingly novel methods to hack systems and the barrier to entry is lower, as technology makes it easier than ever for people with no coding experience to become cybercriminals. While that may sound quite bleak, by using a more proactive approach - knowing every single application running in your environment and having the ability to control what each of them can do - it becomes significantly harder for threat actors to cause damage to your organisation.

The Salt Typhoon hacks took nearly three years to detect, which is an issue. By adopting Zero Trust, which is central to ThreatLockers approach, businesses are in a better position to stop these attacks from happening in the first place, rather than relying on detection - a tactic that is clearly not working. 
 
There were several threat actors that fell under the family name of Typhoon, including Volt Typhoon, which focused on persistence and stealth, and targeted critical infrastructure, and Flax Typhoon, which focused on attack infrastructure and built botnets from compromised Internet of Things (IoT) devices. Hackers by nature are creative, and it is impossible to try and be aware of all the different methods they use to gain access to data as it is constantly changing, so it is clear a different approach is needed.

Zero Trust Is The Only Effective Solution

With that in mind, businesses, government agencies and any organisation that may be targeted by a cyberattack, need to rethink their strategies. The status quo is no longer enough. By adopting strict Zero Trust - or default-deny - controls, organizations significantly harden their environments. This will help in both stopping breaches and discovering breaches. Many companies do not know what is running in their environment until something catastrophic happens. No business can afford to take those risks - especially critical infrastructure companies who are handling gargantuan amounts of customer data.

The Salt Typhoon hacking group has been utilising several backdoors in order to gain access to the telecommunication service providers they targeted. One of those is a new ‘GhostSpider’ backdoor, but they’ve also used previously documented strategies such as the Linux backdoor ‘Masol RAT’, a rootkit called ‘Demodex’ and ‘SnappyBee’, a modular backdoor that has been widely shared amongst Chinese Advanced Persistent Threat (APT) groups. ThreatLockers Zero Trust defences would have blocked these by default, so these businesses that were targeted wouldn’t have ever been exposed to these attacks, let alone for a prolonged period.

 Conclusion

Relying on detection is not enough. It is vital to understand that these attacks happened over a number of years before they were discovered and eliminated.

Rather than detecting attacks years after hackers have breached an organisation, after exposing their data over prolonged periods of time, businesses need to be on the front foot and stopping these attacks at the source.
 
Zero Trust is the only way businesses can take a grasp of their environment and run strict controls over what each of their applications is allowed to access. Control the controllables - while it might be impossible to eradicate all threats and achieve a totally secure environment, by taking a Zero Trust approach you minimise the risk to your business - and your customers.

Danny Jenkins is CEO & Co-Founder at ThreatLocker

Image: design master

You Might Also Read: 

The Impact Of Geopolitical Dynamics On The Evolving Cybersecurity Landscape:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« New Laws To Prevent Using AI To Generate Sexual Images
New Study From Gen Reveals Over 600% Rise in 'Scam-Yourself' Attacks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Brookings Institution

Brookings Institution

The Brookings Institution is a nonprofit public policy organization. Cyber security is covered within the various study areas.

FinalCode

FinalCode

FinalCode offers a file encryption and file-based enterprise digital rights management (eDRM) platform.

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA) offer commercial insurance services including Cyber Liability insurance.

D3 Security

D3 Security

D3's Smart SOAR platform is at the forefront of the security automation revolution, helping clients around the world to rapidly identify, analyze, and resolve advanced threats.

Cyacomb

Cyacomb

Cyacomb (formerly Cyan Forensics) provides digital forensics software to help police forces find evidence on computers many times faster than before.

Intertrust Technologies

Intertrust Technologies

Intertrust Technologies is a software company specializing in trusted computing products and services.

Amadeus Capital Partners

Amadeus Capital Partners

Amadeus Capital Partners offers over 20 years’ experience in technology investment. Our areas of focus include AI & machine learning and cyber security.

World Informatix Cyber Security (WICS)

World Informatix Cyber Security (WICS)

World Informatix Cyber Security provides a range of cyber security services to protect valuable information assets to global business and governments.

CYMOTIVE Technologies

CYMOTIVE Technologies

Combining Israeli cyber innovation with a century of German automotive engineering. CYMOTIVE operates under the assumption that connectivity is a game changer for the automotive industry.

Ostendio

Ostendio

Ostendio is a cybersecurity and information management solutions provider that develops affordable compliance solutions for digital health companies and other regulated entities.

GLIMPS

GLIMPS

GLIMPS-Malware automatically detects malware affecting standard computer systems, manufacturing systems, IOT or automotive domains.

Convergence Networks

Convergence Networks

Convergence Networks is one of North America's leading Managed Services & Security Providers.

Alchemy Security Consulting

Alchemy Security Consulting

Alchemy Security Consulting specialise in offensive and defensive cyber security. We find the weak link in your security so you can patch it up fast and avoid being hacked.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

M7 Services

M7 Services

M7 Services are a comprehensive Managed Services Provider (MSP) with a focus on delivering cutting-edge information technology solutions and unparalleled customer service.

EK3 Technologies

EK3 Technologies

EK3 Technologies mission is to provide comprehensive cybersecurity and IT solutions that allow our clients to focus on sustaining their business.