RARE SIGHTING — The Chinese hacking group tied to an ongoing intrusion into U.S. telco providers has a reputation for being highly skilled and especially elusive, according to interviews with those who have studied it and a review of corporate intelligence reports. — Low profile, high-skill: While researchers have only spotted the group in a small handful of breaches dating back to 2019, a common picture has emerged across them: a knack for sly intrusion campaigns against organizations that hold data of interest to Beijing’s spy services. Admittedly, there’s no definitive link between what researchers spotted then and what exists now. Still, those who previously studied the hacking crew say they would not be surprised to learn it’s behind one of the biggest breaches of the last four years. “I would say they are in the upper half of technical sophistication,” said Alexandre Côté Cyr, a malware researcher at Slovak threat intelligence company ESET. — Crumbs of info: The name the group is best-known by now — Salt Typhoon — comes courtesy of Microsoft. But the tech giant has never published anything on Salt before, and didn’t even appear to track it before August, according to the company’s internal hacking group tracker. Mandiant, which is investigating the telco breaches along with Microsoft, has only mentioned it in passing in a blog about a separate Chinese espionage crew. — Back in the archives: Researchers at the now-blacklisted Russian cybersecurity firm Kaspersky and ESET first identified the group back in 2021, when both said it was among the Chinese hacking teams that exploited an infamous Microsoft Exchange vulnerability that year. (Not coincidentally, that marked the last time the White House triggered a special breach response process before the telco hacks.) At the time, Kaspersky said the group was using a clever, bespoke spying tool — a kernel mode rootkit — to spy on South Asian governments and telcos. ESET said the group was targeting hotels worldwide in an apparent spy caper. — Recent sign of life: Outside the telco hacks, Côté Cyr said ESET is working on a report about activity it tracked inside the U.S. this July that marks “a very direct extension”of what the firm described in 2021. And cybersecurity firm Sygnia recently said it found a stealthier version of the same rootkit Kaspersky found while investigating a supply chain attack last year against a government client. Dor Nizar, a malware researcher at Sygnia, said he was particularly impressed by how hackers managed to bypass Microsoft security controls to install the rootkit. “It's a highly capable threat actor,” he said.
|
No comments:
Post a Comment