The FBI has issued a security advisory warning the notorious Salt Typhoon hacker group is ramping up attacks globally.
Chinese state-sponsored threat actors have been targeting a wide range of sectors, the agency warned, mainly focusing on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers.
However, they’re also leveraging compromised devices and trusted connections to pivot into other networks, modifying routers to maintain persistent, long-term access to networks.
They've been linked to multiple China-based entities, including Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology , all of which provide cybersecurity products and services to China’s Ministry of State Security and People’s Liberation Army.
"Last fall, the FBI and CISA attributed compromises at US telecommunications providers to PRC-affiliated actors known as Salt Typhoon. Active since at least 2019, these actors conducted a significant cyber-espionage campaign, breaching global telecommunications privacy and security norms," said Brett Leatherman, assistant director of the FBI's Cyber Division.
"Today, we are releasing a Joint Cybersecurity Advisory to help defenders prevent, detect, and respond to this threat. Paired with guidance from late 2024, it offers practical steps to improve visibility and detect malicious activity early."
Salt Typhoon attacks worse than previously thought
Notably, the FBI warned that attacks waged by Salt Typhoon and its counterparts were more widespread than previously thought, with at least 60 organizations in 80 countries affected.
"Beijing’s indiscriminate targeting of private communications demands our stronger collaboration with our partners to identify and counter this activity at the earliest stages," said Leatherman.
"If you believe you are a victim of Salt Typhoon — or any other malicious cyber activity — I encourage you to contact your local FBI field office."
The advisory from the FBI comes in the wake of a report from the Department of Defense (DoD) detailing a long-term hacking campaign by the group against US National Guard networks.
In July, the DoD revealed Salt Typhoon breached and laid low in the compromised network of an unnamed US state National Guard for almost a year.
The group is believed to have accessed and exfiltrated sensitive military and law enforcement data as part of the campaign.
How to defend against Salt Typhoon
The advisory describes how Salt Typhoon operates, gaining initial access via known vulnerabilities in networking equipment.
Once in, the attackers altered access control lists, created privileged accounts, and enabled remote management to gain long-term access before moving laterally through organizations.
Rather than financial gain, the attacks were focused on telecom carriers, government organisations, and military infrastructure with the aim of surveillance and spying.
However, healthcare organizations have been targeted too.
“This alert details one of the largest global cyber espionage campaigns ever uncovered related to the Chinese government,” said John Riggi, AHA national advisor for cybersecurity and risk.
“US health care may be directly or indirectly impacted by this espionage and potentially disruptive cyberattack on critical infrastructure, and should take aggressive action to identify, contain, remediate and report to the FBI known instances of these malware strains appearing on healthcare networks or third-party networks.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Citrix warns products sold through legacy licensing setup face 'loss of functionality'News With Citrix moving to a new cloud-based licensing scheme next year, the company has urged customers to make plans for the transition.
-
Salesloft Drift hackers had access to company GitHub account for months before attacksNews Hackers behind the Salesloft Drift breach had access to the company’s GitHub account for several months before waging a flurry of attacks, the company has revealed.
-
Salesloft Drift hackers had access to company GitHub account for months before attacks
News Hackers behind the Salesloft Drift breach had access to the company’s GitHub account for several months before waging a flurry of attacks, the company has revealed.
-
Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations
-
Cybersecurity experts issue urgent warning amid surge in Stealerium malware attacksNews Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year.
-
Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malwareNews TrendMicro has called for caution on how much detail is disclosed in security advisories
-
Security experts call for better 'offboarding' practices amid spate of insider attacks by outgoing staffNews Enterprises should act swiftly to revoke rights and access, regardless of the manner of an employee’s departure.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
The Salesloft Drift victim list keeps growing: Zscaler is the latest to confirm a breach, warning customers to remain wary of follow-up phishing attacksNews The company has warned customers that their data may have been accessed, saying it's implemented extra safeguards in response
-
Anthropic admits hackers have 'weaponized' its tools – and cyber experts warn it's a terrifying glimpse into 'how quickly AI is changing the threat landscape'News Security experts say Anthropic's recent admission that hackers have "weaponized" its AI tools gives us a terrifying glimpse into the future of cyber crime.
