The FBI has issued a security advisory warning the notorious Salt Typhoon hacker group is ramping up attacks globally.
Chinese state-sponsored threat actors have been targeting a wide range of sectors, the agency warned, mainly focusing on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers.
However, they’re also leveraging compromised devices and trusted connections to pivot into other networks, modifying routers to maintain persistent, long-term access to networks.
They've been linked to multiple China-based entities, including Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology , all of which provide cybersecurity products and services to China’s Ministry of State Security and People’s Liberation Army.
"Last fall, the FBI and CISA attributed compromises at US telecommunications providers to PRC-affiliated actors known as Salt Typhoon. Active since at least 2019, these actors conducted a significant cyber-espionage campaign, breaching global telecommunications privacy and security norms," said Brett Leatherman, assistant director of the FBI's Cyber Division.
"Today, we are releasing a Joint Cybersecurity Advisory to help defenders prevent, detect, and respond to this threat. Paired with guidance from late 2024, it offers practical steps to improve visibility and detect malicious activity early."
Salt Typhoon attacks worse than previously thought
Notably, the FBI warned that attacks waged by Salt Typhoon and its counterparts were more widespread than previously thought, with at least 60 organizations in 80 countries affected.
"Beijing’s indiscriminate targeting of private communications demands our stronger collaboration with our partners to identify and counter this activity at the earliest stages," said Leatherman.
"If you believe you are a victim of Salt Typhoon — or any other malicious cyber activity — I encourage you to contact your local FBI field office."
The advisory from the FBI comes in the wake of a report from the Department of Defense (DoD) detailing a long-term hacking campaign by the group against US National Guard networks.
In July, the DoD revealed Salt Typhoon breached and laid low in the compromised network of an unnamed US state National Guard for almost a year.
The group is believed to have accessed and exfiltrated sensitive military and law enforcement data as part of the campaign.
How to defend against Salt Typhoon
The advisory describes how Salt Typhoon operates, gaining initial access via known vulnerabilities in networking equipment.
Once in, the attackers altered access control lists, created privileged accounts, and enabled remote management to gain long-term access before moving laterally through organizations.
Rather than financial gain, the attacks were focused on telecom carriers, government organisations, and military infrastructure with the aim of surveillance and spying.
However, healthcare organizations have been targeted too.
“This alert details one of the largest global cyber espionage campaigns ever uncovered related to the Chinese government,” said John Riggi, AHA national advisor for cybersecurity and risk.
“US health care may be directly or indirectly impacted by this espionage and potentially disruptive cyberattack on critical infrastructure, and should take aggressive action to identify, contain, remediate and report to the FBI known instances of these malware strains appearing on healthcare networks or third-party networks.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
HPE's new Cray system is a pocket powerhouseNews Hewlett Packard Enterprise (HPE) had unveiled new HPC storage, liquid cooling, and supercomputing offerings ahead of SC25
-
High performance and long battery life: How Dell AI PCs offer the best of both worldsUnlocking the true potential of on-device AI requires a perfect balance between software and hardware
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Former NCSC head says the Jaguar Land Rover attack was the 'single most financially damaging cyber event ever to hit the UK' as impact laid bareNews Researchers said they place the UK financial impact of the attack on Jaguar Land Rover at around £1.9 billion.
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
Cyber experts have been warning about AI-powered DDoS attacks – now they’re becoming a realityNews DDoS attackers are flocking to AI tools and solutions to power increasingly devastating attacks
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
Europol takes down SIM farm network that scammed thousands of victimsNews The sophisticated operation led to crimes from simple phishing to investment fraud
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
