Lessons Learned From The Salt Typhoon Hacks

Uploaded on 2025-02-04 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

Over the past few months, the Salt Typhoon hacks have taken the US by storm, as Chinese hackers were able to access the private communications of numerous high-profile figures by breaching US telecommunications companies’ cybersecurity systems. It is important to note these did not appear unexpectedly, with the first hacks traced back to 2022.

So how were the hackers able to stay undetected for so long, and what can be done to prevent this sort of thing happening in the future?

A Global Problem

While the Salt Typhoon hacks targeted the US telecommunications industry, including the US Treasury Department, this is a global problem that could have affected anyone, and will in the future. Any organisation, especially critical infrastructure, is vulnerable to cyberattacks. It is not a matter of ‘if’ but ‘when’, and organisations need to take cybersecurity more seriously to protect themselves.
 
While the US sanctions imposed on the Chinese company behind the attacks may stop some similar hacks from happening, it is an unfortunate reality that cyberattacks are happening every day, and businesses must protect their networks from threats. That includes businesses of all sizes, but is especially pertinent to critical infrastructure organisations, who hold swathes of private information from a broad spectrum of individuals. While the public may not be privy to the cybersecurity measures that specific companies had implemented, industry trends indicate that not enough was done beforehand to stop an attack - with at least nine different companies known to have been compromised by an attack.

A Proactive Approach

A cybersecurity strategy that relies on detection is not enough. The approach of waiting for something bad to happen and detecting it is outdated and doesn’t adequately protect organisations from an ever-changing threat landscape, where hackers are using increasingly novel methods to hack systems and the barrier to entry is lower, as technology makes it easier than ever for people with no coding experience to become cybercriminals. While that may sound quite bleak, by using a more proactive approach - knowing every single application running in your environment and having the ability to control what each of them can do - it becomes significantly harder for threat actors to cause damage to your organisation.

The Salt Typhoon hacks took nearly three years to detect, which is an issue. By adopting Zero Trust, which is central to ThreatLockers approach, businesses are in a better position to stop these attacks from happening in the first place, rather than relying on detection - a tactic that is clearly not working. 
 
There were several threat actors that fell under the family name of Typhoon, including Volt Typhoon, which focused on persistence and stealth, and targeted critical infrastructure, and Flax Typhoon, which focused on attack infrastructure and built botnets from compromised Internet of Things (IoT) devices. Hackers by nature are creative, and it is impossible to try and be aware of all the different methods they use to gain access to data as it is constantly changing, so it is clear a different approach is needed.

Zero Trust Is The Only Effective Solution

With that in mind, businesses, government agencies and any organisation that may be targeted by a cyberattack, need to rethink their strategies. The status quo is no longer enough. By adopting strict Zero Trust - or default-deny - controls, organizations significantly harden their environments. This will help in both stopping breaches and discovering breaches. Many companies do not know what is running in their environment until something catastrophic happens. No business can afford to take those risks - especially critical infrastructure companies who are handling gargantuan amounts of customer data.

The Salt Typhoon hacking group has been utilising several backdoors in order to gain access to the telecommunication service providers they targeted. One of those is a new ‘GhostSpider’ backdoor, but they’ve also used previously documented strategies such as the Linux backdoor ‘Masol RAT’, a rootkit called ‘Demodex’ and ‘SnappyBee’, a modular backdoor that has been widely shared amongst Chinese Advanced Persistent Threat (APT) groups. ThreatLockers Zero Trust defences would have blocked these by default, so these businesses that were targeted wouldn’t have ever been exposed to these attacks, let alone for a prolonged period.

 Conclusion

Relying on detection is not enough. It is vital to understand that these attacks happened over a number of years before they were discovered and eliminated.

Rather than detecting attacks years after hackers have breached an organisation, after exposing their data over prolonged periods of time, businesses need to be on the front foot and stopping these attacks at the source.
 
Zero Trust is the only way businesses can take a grasp of their environment and run strict controls over what each of their applications is allowed to access. Control the controllables - while it might be impossible to eradicate all threats and achieve a totally secure environment, by taking a Zero Trust approach you minimise the risk to your business - and your customers.

Danny Jenkins is CEO & Co-Founder at ThreatLocker

Image: design master

You Might Also Read: 

The Impact Of Geopolitical Dynamics On The Evolving Cybersecurity Landscape:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« New Laws To Prevent Using AI To Generate Sexual Images
New Study From Gen Reveals Over 600% Rise in 'Scam-Yourself' Attacks »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Tiro Security

Tiro Security

Tiro Security is a boutique company specializing in information security and IT audit recruitment and solutions.

Thermo Systems

Thermo Systems

Thermo Systems is a design-build control systems engineering and construction firm. Capabilties include industrial control system cybersecurity.

Swiss Cyber Storm

Swiss Cyber Storm

Swiss Cyber Storm is a non profit organization hosting the international Swiss Cyber Storm Conference and running the Swiss part of the European Cyber Security Challenges.

Private Internet Access

Private Internet Access

Private Internet Access is a Virtual Private Network services provider offering secure encrypted access to the internet.

NITA Uganda (NITA-U)

NITA Uganda (NITA-U)

NITA-U has put in place the Information security framework to provide Uganda with the necessary process, policies, standards and guideline to help in Information Assurance.

Dutch Accreditation Council (RvA)

Dutch Accreditation Council (RvA)

RvA is the national accreditation body for the Netherlands. The directory of members provides details of organisations offering certification services for ISO 27001.

Hallam-ICS

Hallam-ICS

Hallam-ICS designs MEP systems for facilities and plants, control and automation solutions, and ensures safety and regulatory compliance.

C2SEC

C2SEC

C2Sec provides an innovative analytics platform that assesses and quantifies cyber risks in financial terms based on combining patented big data, AI, and cybersecurity technologies.

VIRTIS

VIRTIS

VIRTIS' mission is to provide today's leading organizations peace of mind that their entire digital network perimeter is safe from hackers and data breach.

MicroSec

MicroSec

MicroSec is a company specializing in IoT security. We focus on bringing enterprise grade security to IoT and embedded systems.

Enzen

Enzen

Enzen is a global knowledge practice that provides consulting, technology, engineering, operating and innovation services to the energy and utility sectors.

CV-Library

CV-Library

Start your job search with 216,931 live UK vacancies on award-winning CV-Library. Register your CV and find local jobs near you today!

Lakera

Lakera

Lakera empowers developers and organizations to build GenAI applications without worrying about AI security risks.

Nicos AG

Nicos AG

Nicos AG specializes in secure, global data communication.

Applaudo

Applaudo

Applaudo specializes in helping the world’s most admired brands optimize their IT solutions, reduce delivery costs, and accelerate their digital transformation.

Prefactor

Prefactor

Prefactor was built because the problem of authenticating and authorizing users continues to be a battle engineers face globally.