Key Findings:
– Trend Micro has discovered Salt Typhoon (also known as Earth Estries, GhostEmperor, or UNC2286) using a new backdoor called “GhostSpider”
– The group has successfully breached major US telecommunications providers including Verizon, AT&T, Lumen Technologies, and T-Mobile
– 150 victims, primarily in the D.C. area, were notified of compromised communications
Primary Targets:
– Telecommunications providers
– Government organizations
– Critical infrastructure
– Technology and consulting firms
– Chemical and transportation sectors
Notable Tools:
1. GhostSpider (New Backdoor):
– Designed for stealthy, long-term espionage
– Operates in memory only
– Uses encrypted communications
– Features modular command structure
2. Additional Arsenal:
– Masol RAT (Linux backdoor)
– Demodex (rootkit)
– SnappyBee (shared modular backdoor)
– Various other tools including SparrowDoor, CrowDoor, and ShadowPad
Attack Campaigns:
1. Alpha Campaign:
– Targeted Taiwanese government and chemical producers
– Utilized Demodex and SnappyBee
2. Beta Campaign:
– Focused on Southeast Asian telecommunications and government networks
– Employed GhostSpider and Demodex
Initial Access Methods:
– Exploitation of vulnerable public-facing endpoints
– Targeting known vulnerabilities in VPNs, firewalls, and Microsoft Exchange
Impact:
The group has successfully compromised at least 20 critical organizations globally, including access to private communications of US government officials and court-authorized wiretapping requests.
Security Implications:
Organizations are advised to implement multi-layered cybersecurity defenses due to Salt Typhoon’s sophisticated capabilities and aggressive nature.