Lessons Learned From The Salt Typhoon Hacks

Uploaded on 2025-02-04 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

Over the past few months, the Salt Typhoon hacks have taken the US by storm, as Chinese hackers were able to access the private communications of numerous high-profile figures by breaching US telecommunications companies’ cybersecurity systems. It is important to note these did not appear unexpectedly, with the first hacks traced back to 2022.

So how were the hackers able to stay undetected for so long, and what can be done to prevent this sort of thing happening in the future?

A Global Problem

While the Salt Typhoon hacks targeted the US telecommunications industry, including the US Treasury Department, this is a global problem that could have affected anyone, and will in the future. Any organisation, especially critical infrastructure, is vulnerable to cyberattacks. It is not a matter of ‘if’ but ‘when’, and organisations need to take cybersecurity more seriously to protect themselves.
 
While the US sanctions imposed on the Chinese company behind the attacks may stop some similar hacks from happening, it is an unfortunate reality that cyberattacks are happening every day, and businesses must protect their networks from threats. That includes businesses of all sizes, but is especially pertinent to critical infrastructure organisations, who hold swathes of private information from a broad spectrum of individuals. While the public may not be privy to the cybersecurity measures that specific companies had implemented, industry trends indicate that not enough was done beforehand to stop an attack - with at least nine different companies known to have been compromised by an attack.

A Proactive Approach

A cybersecurity strategy that relies on detection is not enough. The approach of waiting for something bad to happen and detecting it is outdated and doesn’t adequately protect organisations from an ever-changing threat landscape, where hackers are using increasingly novel methods to hack systems and the barrier to entry is lower, as technology makes it easier than ever for people with no coding experience to become cybercriminals. While that may sound quite bleak, by using a more proactive approach - knowing every single application running in your environment and having the ability to control what each of them can do - it becomes significantly harder for threat actors to cause damage to your organisation.

The Salt Typhoon hacks took nearly three years to detect, which is an issue. By adopting Zero Trust, which is central to ThreatLockers approach, businesses are in a better position to stop these attacks from happening in the first place, rather than relying on detection - a tactic that is clearly not working. 
 
There were several threat actors that fell under the family name of Typhoon, including Volt Typhoon, which focused on persistence and stealth, and targeted critical infrastructure, and Flax Typhoon, which focused on attack infrastructure and built botnets from compromised Internet of Things (IoT) devices. Hackers by nature are creative, and it is impossible to try and be aware of all the different methods they use to gain access to data as it is constantly changing, so it is clear a different approach is needed.

Zero Trust Is The Only Effective Solution

With that in mind, businesses, government agencies and any organisation that may be targeted by a cyberattack, need to rethink their strategies. The status quo is no longer enough. By adopting strict Zero Trust - or default-deny - controls, organizations significantly harden their environments. This will help in both stopping breaches and discovering breaches. Many companies do not know what is running in their environment until something catastrophic happens. No business can afford to take those risks - especially critical infrastructure companies who are handling gargantuan amounts of customer data.

The Salt Typhoon hacking group has been utilising several backdoors in order to gain access to the telecommunication service providers they targeted. One of those is a new ‘GhostSpider’ backdoor, but they’ve also used previously documented strategies such as the Linux backdoor ‘Masol RAT’, a rootkit called ‘Demodex’ and ‘SnappyBee’, a modular backdoor that has been widely shared amongst Chinese Advanced Persistent Threat (APT) groups. ThreatLockers Zero Trust defences would have blocked these by default, so these businesses that were targeted wouldn’t have ever been exposed to these attacks, let alone for a prolonged period.

 Conclusion

Relying on detection is not enough. It is vital to understand that these attacks happened over a number of years before they were discovered and eliminated.

Rather than detecting attacks years after hackers have breached an organisation, after exposing their data over prolonged periods of time, businesses need to be on the front foot and stopping these attacks at the source.
 
Zero Trust is the only way businesses can take a grasp of their environment and run strict controls over what each of their applications is allowed to access. Control the controllables - while it might be impossible to eradicate all threats and achieve a totally secure environment, by taking a Zero Trust approach you minimise the risk to your business - and your customers.

Danny Jenkins is CEO & Co-Founder at ThreatLocker

Image: design master

You Might Also Read: 

The Impact Of Geopolitical Dynamics On The Evolving Cybersecurity Landscape:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« New Laws To Prevent Using AI To Generate Sexual Images
New Study From Gen Reveals Over 600% Rise in 'Scam-Yourself' Attacks »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IONU Security

IONU Security

IONU offer a security platform focused specifically on providing Data-centric Security.

National Cyber Security Centre (NCSC) - United Kingdom

National Cyber Security Centre (NCSC) - United Kingdom

The NCSC acts as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents.

CLUSIS

CLUSIS

CLUSIS is an association for the information security industry in Switzerland.

Cybersecurity Association of Maryland (CAMI)

Cybersecurity Association of Maryland (CAMI)

CAMI’s mission is to create a global cybersecurity marketplace in Maryland and generate thousands of high-pay jobs through the cybersecurity industry.

Mend.io

Mend.io

Mend.io (formerly known as WhiteSource) is an application security company built to secure today’s digital world.

AVORD

AVORD

AVORD is a cloud-based security testing platform that allows clients to manage security testing requirements in a far more productive and efficient way.

EuraTechnologies

EuraTechnologies

EuraTechnologies, the French incubator and accelerator, is a centre of excellence and innovation for startups and entrepreneurs with a focus on Digital, Data, Cybersecurity and IoT.

CHEQ

CHEQ

CHEQ provides fully autonomous, preemptive technology for brand safety and ad-fraud prevention.

Torq

Torq

Torq's no-code automation modernizes how security & operations teams work with easy workflow building, limitless integrations and numerous pre-built templates.

Aravo Solutions

Aravo Solutions

Your Extended Enterprise is full of hidden risks – Aravo makes them visible, measurable, and manageable.

Mindflow

Mindflow

Mindflow is dedicated to bringing answers to the challenges the cybersecurity field and beyond face today.

BTQ Technologies

BTQ Technologies

BTQ is a global quantum technology company focused on securing mission critical networks.

Precision Cybertechnologies & Digital Solutions (Precision-Cyber)

Precision Cybertechnologies & Digital Solutions (Precision-Cyber)

Precision-Cyber was founded on the philosophy of state-of-the-art cybersecurity and digital solutions. Our guiding principle is simply that we will provide and secure all your digital needs.

Hubble

Hubble

Hubble grew from the idea that legacy solutions were failing to provide organizations with the asset visibility they needed to effectively secure and operate their businesses.

True North Solutions

True North Solutions

True North Solutions provides a wide range of fully customized, vendor-neutral industrial engineering and OT automation solutions to companies across North America and around the world.

NetSfere

NetSfere

NetSfere provides next-generation messaging and mobility solutions to carriers and enterprises globally including its enterprise-grade, secure mobile messaging platform NetSfere Enterprise.