data breaches

Chinese State-Linked Hackers Target U.S. Internet Providers in Latest Cyber Espionage Campaign

Published

on

In a concerning escalation of cyber espionage, a sophisticated group of hackers backed by China, known as “Salt Typhoon” or GhostEmperor, has been found infiltrating U.S. internet service providers (ISPs). This cyber campaign, attributed to state-sponsored actors, is indicative of a growing pattern of Chinese interest in U.S. critical infrastructure. The group gained unauthorized access to multiple ISPs, attempting to establish a persistent presence within these vital networks to gather intelligence, control data, and potentially disrupt essential services.

Who is Salt Typhoon / GhostEmperor?

Salt Typhoon, also called GhostEmperor, is part of a cohort of highly skilled cyber actors linked to the Chinese government. Known for its stealth, GhostEmperor uses advanced malware and tools to maintain hidden access to compromised systems. The group first gained significant attention in 2021 when cybersecurity experts from Kaspersky identified its operations targeting Southeast Asia, deploying a sophisticated rootkit called Demodex. GhostEmperor’s typical targets include government institutions, major infrastructure, and businesses within industries like telecommunications and technology.

The goal of Salt Typhoon’s attacks is to establish a foothold deep inside networks, allowing the group to operate undetected for long periods, siphoning off data or laying the groundwork for future attacks. This makes them particularly dangerous; they don’t just disrupt services but also potentially allow for ongoing surveillance and data exfiltration.

Details of the Recent Attack

The current attack, attributed to Salt Typhoon, has targeted a handful of U.S. ISPs by exploiting vulnerabilities within core network infrastructure, specifically targeting Cisco Systems routers. These routers play a critical role in managing internet traffic, and by compromising them, the attackers effectively gained access to much of the traffic flowing through these networks. This type of attack presents a national security concern, as ISPs are crucial to maintaining communication capabilities across the country.

Investigators, including cybersecurity teams from the affected ISPs and Microsoft’s threat intelligence division, believe the aim is to maintain a persistent presence. This persistent access allows Salt Typhoon to covertly harvest sensitive information, intercept communications, or disrupt services at critical times. This kind of intrusion allows attackers the ability to monitor network activities, extract information from data packets, and compromise the integrity of communication systems.

Microsoft has described the intrusion techniques used by Salt Typhoon as both advanced and evasive. The hackers are thought to have used zero-day vulnerabilities—flaws in systems that were previously unknown and, therefore, unpatched—making it exceptionally difficult for defenders to stop the breaches in real time.

History and Techniques of GhostEmperor

GhostEmperor is known for its use of customized rootkits and other tools designed to bypass detection by conventional security software. One of the notable tools in its arsenal is the Demodex rootkit, used to conceal malicious activities at the deepest levels of an infected machine. By gaining control at the kernel level (the core part of an operating system), the attackers can execute commands and control systems with minimal risk of detection.

The GhostEmperor group often uses command-and-control (C&C) servers to maintain contact with compromised devices. Once inside a network, the attackers plant malware to create backdoors—hidden entry points into systems—that provide ongoing access, allowing them to come and go undetected for extended periods.

This strategy was previously observed in attacks on countries like Malaysia, Vietnam, Thailand, and several others. These campaigns targeted government agencies, NGOs, and infrastructure, reflecting the broad scope of GhostEmperor’s objectives.

Recent Activity and Broader Implications

The latest campaign targeting U.S. ISPs is not an isolated incident. It comes amid a series of cyber attacks attributed to Chinese state-sponsored groups. Just days before the disclosure of this campaign, the U.S. government revealed it had disrupted a 260,000-device botnet called Raptor Train, controlled by another Chinese-linked group named Flax Typhoon. These botnets, often used for carrying out distributed denial-of-service (DDoS) attacks, also serve as a reminder of China’s capacity to harness enormous computing power for cyber operations.

The timing of these attacks aligns with increased geopolitical tensions and suggests a deliberate escalation by Beijing-backed cyber actors. By targeting ISPs, China-linked groups potentially gain access to valuable data, not only affecting individual users but also compromising the privacy and security of large-scale corporate and government communications.

The concern is not only the data that can be gathered but also the potential for manipulation. Access to ISP-level infrastructure means attackers could redirect traffic, intercept sensitive communications, and lay the groundwork for even more damaging future operations, such as shutting down parts of the internet during a critical incident.

Response from Authorities and Industry

The U.S. government has expressed growing alarm over the increasing frequency and sophistication of cyber attacks targeting critical infrastructure. As part of its response, the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) have been working alongside private companies, including Microsoft, to mitigate these threats. This collaboration involves sharing threat intelligence, rapidly patching vulnerabilities, and improving overall security postures across the industry.

Internet service providers are also being urged to implement stringent network segmentation—isolating different parts of their networks to limit the spread of any potential breach—as well as enhance their threat detection capabilities. Using artificial intelligence and machine learning to monitor network behavior can help identify anomalies that may indicate a security breach.

The Larger Cyber Conflict

The targeting of ISPs forms part of a larger strategy by China to gain strategic advantages over global adversaries through cyber warfare. Unlike traditional espionage, cyber operations can yield not just intelligence, but also opportunities to compromise the reliability and trustworthiness of communications infrastructure, potentially giving attackers leverage during geopolitical negotiations.

The current focus on critical infrastructure—telecoms, power grids, financial institutions—reflects the ongoing evolution in the tactics of state-sponsored actors. GhostEmperor, and other groups like it, represents a sophisticated blend of cybercriminal expertise and state resources, making them a significant challenge for cybersecurity professionals worldwide.

Conclusion

The recent infiltration of U.S. internet service providers by Salt Typhoon highlights a critical vulnerability in the nation’s infrastructure. As Chinese state-sponsored hackers become more adept at targeting key elements of communication networks, the risks to national security and economic stability grow. The response to such threats requires close collaboration between governments and private companies, rapid adaptation to emerging threats, and a robust commitment to securing the technology infrastructure that underpins the modern digital economy.

The actions of GhostEmperor underscore the critical need for constant vigilance, advanced defensive capabilities, and a coordinated global response to tackle the evolving landscape of cyber threats. As digital technologies continue to advance, so too must the efforts to protect them from those who seek to exploit their vulnerabilities.

Trending

Exit mobile version