IntrusionsInDepth

IntrusionsInDepth

IntrusionsInDepth
IntrusionsInDepth Podcast
006.1: SALT TYPHOON
0:00
-1:43:58

006.1: SALT TYPHOON

An Analysis of the Salt Typhoon Threat Actor -- March 2025
Josh Stepp's avatar
Josh Stepp
Mar 15, 2025
Share
Transcript

Episode Description:

This episode of The IntrusionsinDepth Podcast released on March 15, 2025, explores the Chinese hacking group Salt Typhoon, a sophisticated cyber-espionage outfit linked to the Ministry of State Security that infiltrated nine U.S. telecom companies and the Treasury by exploiting vulnerabilities in Cisco and BeyondTrust systems. The host traces the group’s evolution from its broad 2019 attacks on Southeast Asia to its refined 2023-2025 campaigns, wielding custom malware like Ghost Spider to steal sensitive data from telecoms, governments, and tech sectors worldwide. With aliases like Ghost Emperor and UNC2286, Salt Typhoon’s history builds on decades of Chinese cyber operations—shifting from the PLA’s early economic theft to the MSS’s strategic espionage—culminating in recent breaches exposing D.C.-area VIP calls and unclassified Treasury documents. The U.S. response of symbolic sanctions on a Chinese firm and an MSS-affiliated hacker underscores the ongoing challenges with groups like this.

Main Topics Discussed:

1. Who is Salt Typhoon?

  • Known by aliases like Ghost Emperor and UNC2286, they’ve been active since 2019, tied to China’s MSS.

  • Targets include telecoms, governments, and tech globally, with a focus on espionage.

2. History of Chinese Cyber Attacks

  • Early attacks (2003-2010s) by the PLA stole tech secrets, like Operation Aurora against Google.

  • Modern APTs like Salt Typhoon showing more refined, widespread operations.

3. Salt Typhoon’s Campaigns

  • Early hits (2019-2022) targeted Southeast Asia; later ones (2023-2025) hit U.S. telecoms and Treasury.

  • Malware like Ghost Spider evolved, using clever tricks to stay hidden and adaptable.

4. U.S. Attacks & Response

  • Recent breaches exposed D.C.-area VIP calls and Treasury data via Cisco and BeyondTrust flaws.

  • U.S. countered with symbolic sanctions on a Chinese firm and hacker, Yin Jinping, but the threat persists.

Call to Action:

  • Subscribe to the podcast for more episodes on high-profile cyber intrusions.

  • Visit our website at intrusionsindepth.com for additional stories and insights.

  • Share your thoughts on social media using #IntrusionsInDepth.

Links and Resources:

  • https://blog.polyswarm.io/salt-typhoon-targets-telecoms-with-ghostspider?

  • https://www.npr.org/2024/12/17/nx-s1-5223490/text-messaging-security-fbi-chinese-hackers-security-encryption

  • https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf

  • https://techcrunch.com/2024/10/13/meet-the-chinese-typhoon-hackers-preparing-for-war/

  • https://mashable.com/article/salt-typhoon-breach-att-verizon-clear

  • https://techcrunch.com/2024/12/04/fbi-recommends-encrypted-messaging-apps-combat-chinese-hackers/

  • https://techcrunch.com/2024/10/07/the-30-year-old-internet-backdoor-law-that-came-back-to-bite/

  • https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b

  • https://www.reuters.com/technology/cybersecurity/us-adds-9th-telcom-list-companies-hacked-by-chinese-backed-salt-typhoon-2024-12-27/

  • https://therecord.media/nine-us-companies-hacked-salt-typhoon-china-espionage

  • https://en.wikipedia.org/wiki/Ministry_of_State_Security_(China)

  • https://en.wikipedia.org/wiki/2010%E2%80%932012_killing_of_CIA_sources_in_China?

  • https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

  • https://www.justice.gov/opa/pr/member-sophisticated-china-based-hacking-group-indicted-series-computer-intrusions-including

  • https://cloud.google.com/blog/topics/threat-intelligence/chinese-espionage-tactics/

  • https://www.fbi.gov/news/stories/chinese-hackers-charged-in-equifax-breach-021020

  • https://en.wikipedia.org/wiki/Operation_Fox_Hunt

  • https://en.wikipedia.org/wiki/Salt_Typhoon

  • https://www.theguardian.com/us-news/2021/oct/27/us-bans-china-telecom-from-operating-over-national-security-concerns

  • https://www.theguardian.com/technology/2020/jan/21/amazon-boss-jeff-bezoss-phone-hacked-by-saudi-crown-prince

  • https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/analyzing-salt-typhoon-telecom-attacker/

  • https://www.crowdstrike.com/en-us/blog/an-analysis-of-lightbasin-telecommunications-attacks/

  • https://www.reuters.com/technology/china-linked-hacking-group-accessing-calling-records-worldwide-crowdstrike-says-2021-10-19/

  • https://www.darkreading.com/data-privacy/chinese-apt-backdoor-found-in-ccleaner-supply-chain-attack

  • https://news.sky.com/story/obama-tells-china-president-hacking-must-stop-10345126

  • https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

  • https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf

  • https://en.wikipedia.org/wiki/PLA_Unit_61398

  • https://en.wikipedia.org/wiki/Titan_Rain

  • https://www.csis.org/programs/strategic-technologies-program/survey-chinese-espionage-united-states-2000

  • https://www.nytimes.com/2024/12/16/us/politics/biden-administration-retaliation-china-hack.html

  • https://github.com/shadow1ng/fscan/blob/main/README_EN.md

  • https://github.com/sensepost/reGeorg

  • https://www.cisa.gov/sites/default/files/2024-05/MAR-10448362.c1.v2.CLEAR_.pdf

  • https://proxylogon.com/

  • https://www.picussecurity.com/resource/blog/salt-typhoon-removing-chinese-telecom-equipment

  • https://threatpost.com/famoussparrow-spy-hotels-governments/174948/

  • https://www.ncsc.gov.uk/files/NCSC-MAR-SparrowDoor.pdf

  • https://www.trendmicro.com/en_us/research/24/k/earth-estries.html

  • https://cyberscoop.com/suspected-chinese-hackers-took-advantage-of-microsoft-exchange-vulnerability-to-steal-call-records/

  • https://portswigger.net/daily-swig/a-whole-new-attack-surface-researcher-orange-tsai-documents-proxylogon-exploits-against-microsoft-exchange-server

  • https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/

  • https://cyberscoop.com/famoussparrow-eset-microsoft-exchange-proxylogon/

  • https://www.c4isrnet.com/cyber/2024/04/10/secretive-us-cyber-force-deployed-22-times-to-aid-foreign-governments/

  • https://www.meritalk.com/articles/report-salt-typhoon-using-backdoor-malware-tactics/

  • https://www.wsj.com/politics/national-security/u-s-officials-race-to-understand-severity-of-chinas-salt-typhoon-hacks-6e7c3951

  • https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/

  • https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html

  • https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html

  • https://cloud.google.com/blog/topics/threat-intelligence/unc4841-post-barracuda-zero-day-remediation

  • https://www.trendmicro.com/en_us/research/24/k/earth-estries.html

  • https://www.bleepingcomputer.com/news/security/salt-typhoon-hackers-backdoor-telcos-with-new-ghostspider-malware/

  • https://cyberscoop.com/chinese-hack-nsa-tool-check-point/

  • https://teamwin.in/index.php/2025/02/15/redmike-hackers-exploited-1000-cisco-devices-to-gain-admin-access/

  • https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally

  • https://cyberscoop.com/treasury-sanctions-chinese-cybersecurity-company-salt-typhoon-hacks/

  • https://www.techtarget.com/searchsecurity/news/366617509/Treasury-Department-breached-through-BeyondTrust-service

  • https://www.bleepingcomputer.com/news/security/us-treasury-department-breached-through-remote-support-platform/

  • https://cyberscoop.com/salt-typhoon-us-telecom-hack-earth-estries-trend-micro-report/

  • https://www.reuters.com/technology/cybersecurity/us-treasury-dept-issues-sanctions-related-salt-typhoon-hack-2025-01-17/

  • https://www.wired.com/story/us-names-one-of-the-hackers-allegedly-behind-massive-salt-typhoon-breaches/

  • https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices

  • https://risky.biz/BTN106/

  • https://en.wikipedia.org/wiki/Salt_Typhoon

  • https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_1_5_leon-chang_theo-chen_en.pdf

  • https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming

  • https://nvd.nist.gov/vuln/detail/cve-2023-2868

  • https://www.washingtonpost.com/national-security/2024/11/21/salt-typhoon-china-hack-telecom/

  • https://malpedia.caad.fkie.fraunhofer.de/actor/ghostemperor

  • https://www.sentinelone.com/labs/cyber-soft-power-chinas-continental-takeover/

  • https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

  • https://blog.talosintelligence.com/salt-typhoon-analysis/

Credits:

  • Host: Josh Stepp

  • Produced by: Josh Stepp

Thank you for tuning in to IntrusionsinDepth Podcast. Stay informed, stay safe, and see you in the next episode!

Discussion about this episode

© 2025 Josh Stepp
PrivacyTermsCollection notice
Start writingGet the app
Substack is the home for great culture