Lessons Learned From The Salt Typhoon Hacks

Uploaded on 2025-02-04 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

Over the past few months, the Salt Typhoon hacks have taken the US by storm, as Chinese hackers were able to access the private communications of numerous high-profile figures by breaching US telecommunications companies’ cybersecurity systems. It is important to note these did not appear unexpectedly, with the first hacks traced back to 2022.

So how were the hackers able to stay undetected for so long, and what can be done to prevent this sort of thing happening in the future?

A Gobal Problem

While the Salt Typhoon hacks targeted the US telecommunications industry, including the US Treasury Department, this is a global problem that could have affected anyone, and will in the future. Any organisation, especially critical infrastructure, is vulnerable to cyberattacks. It is not a matter of ‘if’ but ‘when’, and organisations need to take cybersecurity more seriously to protect themselves.
 
While the US sanctions imposed on the Chinese company behind the attacks may stop some similar hacks from happening, it is an unfortunate reality that cyberattacks are happening every day, and businesses must protect their networks from threats. That includes businesses of all sizes, but is especially pertinent to critical infrastructure organisations, who hold swathes of private information from a broad spectrum of individuals. While the public may not be privy to the cybersecurity measures that specific companies had implemented, industry trends indicate that not enough was done beforehand to stop an attack - with at least nine different companies known to have been compromised by an attack.

A Proactive Approach

A cybersecurity strategy that relies on detection is not enough. The approach of waiting for something bad to happen and detecting it is outdated and doesn’t adequately protect organisations from an ever-changing threat landscape, where hackers are using increasingly novel methods to hack systems and the barrier to entry is lower, as technology makes it easier than ever for people with no coding experience to become cybercriminals. While that may sound quite bleak, by using a more proactive approach - knowing every single application running in your environment and having the ability to control what each of them can do - it becomes significantly harder for threat actors to cause damage to your organisation.

The Salt Typhoon hacks took nearly three years to detect, which is an issue. By adopting Zero Trust, which is central to ThreatLockers approach, businesses are in a better position to stop these attacks from happening in the first place, rather than relying on detection - a tactic that is clearly not working. 
 
There were several threat actors that fell under the family name of Typhoon, including Volt Typhoon, which focused on persistence and stealth, and targeted critical infrastructure, and Flax Typhoon, which focused on attack infrastructure and built botnets from compromised Internet of Things (IoT) devices. Hackers by nature are creative, and it is impossible to try and be aware of all the different methods they use to gain access to data as it is constantly changing, so it is clear a different approach is needed.

Zero Trust Is The Only Effective Solution

With that in mind, businesses, government agencies and any organisation that may be targeted by a cyberattack, need to rethink their strategies. The status quo is no longer enough. By adopting strict Zero Trust - or default-deny - controls, organizations significantly harden their environments. This will help in both stopping breaches and discovering breaches. Many companies do not know what is running in their environment until something catastrophic happens. No business can afford to take those risks - especially critical infrastructure companies who are handling gargantuan amounts of customer data.

The Salt Typhoon hacking group has been utilising several backdoors in order to gain access to the telecommunication service providers they targeted. One of those is a new ‘GhostSpider’ backdoor, but they’ve also used previously documented strategies such as the Linux backdoor ‘Masol RAT’, a rootkit called ‘Demodex’ and ‘SnappyBee’, a modular backdoor that has been widely shared amongst Chinese Advanced Persistent Threat (APT) groups. ThreatLockers Zero Trust defences would have blocked these by default, so these businesses that were targeted wouldn’t have ever been exposed to these attacks, let alone for a prolonged period.

 Conclusion

Relying on detection is not enough. It is vital to understand that these attacks happened over a number of years before they were discovered and eliminated.

Rather than detecting attacks years after hackers have breached an organisation, after exposing their data over prolonged periods of time, businesses need to be on the front foot and stopping these attacks at the source.
 
Zero Trust is the only way businesses can take a grasp of their environment and run strict controls over what each of their applications is allowed to access. Control the controllables - while it might be impossible to eradicate all threats and achieve a totally secure environment, by taking a Zero Trust approach you minimise the risk to your business - and your customers.

Danny Jenkins is CEO & Co-Founder at ThreatLocker

Image: design master

You Might Also Read: 

The Impact Of Geopolitical Dynamics On The Evolving Cybersecurity Landscape:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« British Engineering Company Attacked

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Computer & Communications Industry Association (CCIA)

Computer & Communications Industry Association (CCIA)

CCIA supports efforts to facilitate and streamline information sharing on cyber threats between the private sector and the Federal Government.

S2 Grupo

S2 Grupo

S2 Grupo is the benchmark company in Europe and Latin America, for Cyber Intelligence and mission critical systems operations.

Center for Cyber Safety and Education

Center for Cyber Safety and Education

The Center for Cyber Safety and Education works to ensure that people across the globe have a positive and safe experience online through our educational programs, scholarships, and research.

Cyberra Legal Services (CLS)

Cyberra Legal Services (CLS)

Cyberra Legal Services provides cyber law advisory, cyber crime consultancy, cyber law compliance audit, cyber security, cyber forensics and cyber training services.

miniOrange

miniOrange

miniOrange is a cloud and on-premise based identity and access management (IAM) solution provider.

CloudMask

CloudMask

CloudMask patent technology provides Dynamic Data Masking (DDM) that masks sensitive data, structured or non-structured, in real-time.

KIOS Center of Excellence (KIOS CoE)

KIOS Center of Excellence (KIOS CoE)

KIOS carries out top level research in the area of Information and Communication Technologies (ICT) with emphasis on the Monitoring, Control and Security of Critical Infrastructures.

Czech Accreditation Institute

Czech Accreditation Institute

Czech Accreditation Institute is the national accreditation body for the Czech Republic. The directory of members provides details of organisations offering certification services for ISO 27001.

Cybersecurity Defense Initiative (CDI) - University of Arkansas

Cybersecurity Defense Initiative (CDI) - University of Arkansas

The Cybersecurity Defense Initiative is a national cybersecurity training program, developed for technical personnel and managers who monitor and protect our nation's critical cyber infrastructures.

AXELOS

AXELOS

AXELOS develops best practice frameworks and methodologies used globally by professionals working primarily in IT management and cyber resilience.

DeFY Security

DeFY Security

DeFY Security is a Cyber Security solutions provider with more than 20 years of experience securing financial institutions, healthcare, manufacturing and retail.

iSTORM

iSTORM

iStorm specialise in supporting organisations who require a range of Privacy, Security and Penetration testing related services.

Gulf Business Machines (GBM)

Gulf Business Machines (GBM)

GBM is a leading end-to-end digital solutions provider, offering the broadest portfolio, including industry-leading digital infrastructure, digital business solutions, security and services.

Iron Mountain

Iron Mountain

Iron Mountain Incorporated is a global business dedicated to storing, protecting and managing, information and assets.

ABPGroup

ABPGroup

ABPGroup is Asia’s leading cybersecurity technology provider focusing on providing best-of-breed solutions that address today’s pressing challenges.

Information Security Society of Africa – Nigeria (ISSAN)

Information Security Society of Africa – Nigeria (ISSAN)

The Information Security Society of Africa – Nigeria (ISSAN) is a not-for-profit organization dedicated to the protection of Nigeria’s cyberspace.