Beijing-backed nation-state threat actors broke into a “handful” of US Internet Service Providers (ISPs) in a cyber espionage campaign designed to gather sensitive information, The Wall Street Journal reported Wednesday.
The activity is attributed to a threat that Microsoft is tracking as Salt Typhoon, which is also known as The famous sparrow and GhostEmperor.
“Investigators are looking into whether attackers gained access to Cisco Systems routers, core network components that route much of the Internet’s traffic,” the paper quoted people familiar with the matter as saying.
The ultimate goal of attacks is to gain a foothold in targeted networks, allowing threat actors to collect sensitive data or launch malicious cyberattacks.
GhostEmperor was born for the first time in October 2021, when the Russian cyber security company Kasperksy detailed a long-running target evasion operation in Southeast Asia to deploy a rootkit called Demodex.
The campaign targets prominent organizations in Malaysia, Thailand, Vietnam and Indonesia, as well as in Egypt, Ethiopia and Afghanistan.
Back in July 2024, Sygnia discovered that an unnamed customer had been compromised by a 2023 threat actor to infiltrate one of its business partner’s networks.
“During the investigation, it was determined that multiple servers, workstations and users were compromised by an attacker who deployed various tools to communicate with a set of (command and control) servers,” the company said in a statement. said. “One of these tools was identified as a Demodex variant.”
The development comes days after the US government said it had disrupted a 260,000-device botnet dubbed Raptor train controlled by another Beijing-linked hacking group called Flax Typhoon.
It also represents the latter in a line with China’s efforts are state-funded to the target telecommunications, internet service providers and other critical infrastructure sectors.
