News: Digging into Salt Typhoon

Monday, October 21, 2024

Digging into Salt Typhoon

Oct 21, 2024

With help from John Sakellariadis and Joe Gould

Driving the day

— A Chinese hacking group's stealthy tactics and advanced techniques have raised serious concerns about the security of critical infrastructure and the potential for widespread disruption.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! Please welcome the cyber team’s fearless new editor: Rosie Perper, who’s now in her first full week on the job.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

China corner

RARE SIGHTING — The Chinese hacking group tied to an ongoing intrusion into U.S. telco providers has a reputation for being highly skilled and especially elusive, according to interviews with those who have studied it and a review of corporate intelligence reports.

— Low profile, high-skill: While researchers have only spotted the group in a small handful of breaches dating back to 2019, a common picture has emerged across them: a knack for sly intrusion campaigns against organizations that hold data of interest to Beijing’s spy services.

Admittedly, there’s no definitive link between what researchers spotted then and what exists now. Still, those who previously studied the hacking crew say they would not be surprised to learn it’s behind one of the biggest breaches of the last four years. “I would say they are in the upper half of technical sophistication,” said Alexandre Côté Cyr, a malware researcher at Slovak threat intelligence company ESET.

— Crumbs of info: The name the group is best-known by now — Salt Typhoon — comes courtesy of Microsoft. But the tech giant has never published anything on Salt before, and didn’t even appear to track it before August, according to the company’s internal hacking group tracker. Mandiant, which is investigating the telco breaches along with Microsoft, has only mentioned it in passing in a blog about a separate Chinese espionage crew.

— Back in the archives: Researchers at the now-blacklisted Russian cybersecurity firm Kaspersky and ESET first identified the group back in 2021, when both said it was among the Chinese hacking teams that exploited an infamous Microsoft Exchange vulnerability that year.

(Not coincidentally, that marked the last time the White House triggered a special breach response process before the telco hacks.)

At the time, Kaspersky said the group was using a clever, bespoke spying tool — a kernel mode rootkit — to spy on South Asian governments and telcos. ESET said the group was targeting hotels worldwide in an apparent spy caper.

— Recent sign of life: Outside the telco hacks, Côté Cyr said ESET is working on a report about activity it tracked inside the U.S. this July that marks “a very direct extension”of what the firm described in 2021. And cybersecurity firm Sygnia recently said it found a stealthier version of the same rootkit Kaspersky found while investigating a supply chain attack last year against a government client.

Dor Nizar, a malware researcher at Sygnia, said he was particularly impressed by how hackers managed to bypass Microsoft security controls to install the rootkit. “It's a highly capable threat actor,” he said.

Election Security

MUSK’S MIXED MESSAGES — Elon Musk-funded political action committees are deploying contradictory ad strategies in key battleground states weeks ahead of the election, targeting different demographic groups with opposing messages about Vice President Kamala Harris.

— The strategy: Future Coalition PAC, backed by Musk's millions, is running a sophisticated campaign of both digital and physical ads that tailors its message based on the demographic makeup of its audience.

In Michigan, where there's a significant Muslim and Arab American population, the PAC portrays Harris as staunchly pro-Israel. Meanwhile, the very same PAC paints Harris as against Israel in areas in Pennsylvania with a heavier Jewish voting bloc.

One ad paid for by the PAC delivered to resident homes and shared with Morning Cyber says Harris “leans on Jewish husband Doug Emhoff to advise on high level pro-Israel policies,” without any proof to back up the statement. Another ad shared with Morning Cyber depicts Harris with Rep. Elissa Slotkin (D-Mich.) and notes “Harris even stood up to protestors as they attempted to speak out against the war in Gaza.”

In Pennsylvania, HuffPost, which first reported the story, shared that the ads claim Harris “support[s] denying Israel the weapons needed to defeat the Hamas terrorists who massacred thousands.” An adviser said in August that Harris doesn’t support an arms embargo on Israel.

Those ads ran from last Monday to Saturday and are recorded to have been shown at least 300,000 times.

CISA did not respond to a request for comment on whether it had been working with election, state or local officials to curb this campaign.

Pennsylvania secretary of state Al Schmidt and Michigan SOS Jocelyn Benson did not respond to similar requests for comment.

— Follow the money: The New York Times reports Future Coalition PAC is funded by a nonprofit called Building America's Future. A Wall Street Journal investigation found that Musk funneled tens of millions to Citizens for Sanity, through Building America’s Future.

The world’s richest person was also the sole donor to a super PAC backing Donald Trump’s campaign, tossing in an estimated $75 million dollars.

— Million-dollar momentum: Over the weekend, Musk announced at a town hall in Pennsylvania that America PAC will award $1 million daily to a registered Pennsylvania voter who signs his petition to support the First and Second amendments — with the first winner reportedly given a jumbo-sized lotto check.

The International Scene

LEAK CRITIQUE — The Senate Armed Services Committee’s top Republican Roger Wicker (R-Miss.), is calling for accountability in the wake of reports that two purported U.S. intelligence documents detailing Israel’s preparations for an attack on Iran surfaced ahead of the weekend.

Wicker on Sunday called the reports “extremely alarming.” He added: “Whoever committed this outrageous act is putting our ally at risk, and they need to be prosecuted to the fullest extent of the law.”

— Leak lowdown: A pro-Iranian Telegram channel named "Middle East Spectator" claimed to have received the documents from a U.S. intelligence community insider. The channel is known for spreading pro-Iranian content, though whether it’s directly linked to Tehran’s government is unclear.

The documents come just as Israel finalizes weeks of preparations for retaliation against Iran’s tit-for-tat Oct. 1 missile barrage. Their authenticity hasn’t been disputed or confirmed, but here’s what appears to be in them:

— A visual intelligence report from the National Geospatial-Intelligence Agency.

— Details on Israeli air force base activities and advanced munitions transfers.

— Intel on a large-scale Israeli air force exercise, potentially rehearsing for an Iranian strike.

— Info on Israeli drone unit preparations.

— Not a denial: The FBI and Israel’s embassy in Washington declined to comment on the authenticity of the documents. The Office of the Director of National Intelligence, as well as the Israeli Defense Forces, did not respond to requests for comment.

Cyber Workforce

CALL TO ARMS — NobleReach, a new group in the D.C. area, is calling all recent graduates with backgrounds in tech, science, and entrepreneurship seeking experience in public service to apply for its 2025 Scholars Program cohort.

The program matches participants with full-time roles in cyber, AI and more at federal agencies or mission-driven industry partners for one year. NobleReach currently has scholars placed at agencies with cybersecurity missions, including the U.S. Navy, U.S. Space Force, NIST and CISA, and is looking for the next generation of cyber leaders.

Applications are open now through Dec. 4.

Tweet of the Day

I’m still going to Cancun.

Quick Bytes

AN ATTACK THAT GOES (WAY)BACK — The Internet Archive was breached — again — through a Zendesk token exposed in leaked GitLab credentials, writes Lawrence Abrams for BleepingComputer.

“23andMe faces an uncertain future — so does your genetic data” (TechCrunch)

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Rosie Perper (rperper@politico.com).