China's Cyber Campaigns: A Deep Dive into Salt & Volt Typhoon and Other Threat Actors

Breached Company

Breached Company

9 min read
China's Cyber Campaigns: A Deep Dive into Salt & Volt Typhoon and Other Threat Actors
Photo by Ling Tang / Unsplash

In recent years, cyber espionage has become a significant concern, with nation-state actors employing sophisticated techniques to target critical infrastructure and sensitive data. Among these, groups affiliated with the People's Republic of China (PRC) have been particularly active, utilizing methods like "living off the land" (LOTL) to compromise networks and maintain persistent access. This article delves into the tactics, techniques, and procedures (TTPs) of one such group, Volt Typhoon, while also shedding light on other PRC-linked cyber actors and providing actionable mitigation strategies for network defenders.

Understanding Volt Typhoon's Tactics

Volt Typhoon, has successfully infiltrated the networks of critical infrastructure organizations in the United States. Their operations involve a multi-stage attack, characterized by:

  • Extensive Reconnaissance: Volt Typhoon actors conduct thorough pre-compromise reconnaissance to gather intelligence about the target organization's network architecture, security measures, and key personnel. This includes identifying network topologies, typical user behaviors, and key IT staff. They use tools like FOFA, Shodan, and Censys to search for exposed infrastructure.
  • Initial Access: The group typically gains initial access by exploiting known or zero-day vulnerabilities in public-facing network appliances, such as routers, VPNs, and firewalls. They commonly target vulnerabilities in networking appliances such as Fortinet, Ivanti, NETGEAR, Citrix, and Cisco.
  • Credential Access and Lateral Movement: After the initial breach, Volt Typhoon aims to obtain administrator credentials within the network, often by exploiting privilege escalation vulnerabilities. They use valid administrator credentials to move laterally to the domain controller (DC) and other devices via remote access services like RDP.
  • Discovery and Data Collection: Volt Typhoon conducts discovery in the victim's network, leveraging LOTL binaries for stealth. They use PowerShell to perform targeted queries on Windows event logs, focusing on specific users and periods, and extract security event logs into .dat files. The group collects sensitive information, including diagrams and documentation related to OT equipment, such as SCADA systems, relays, and switchgear.
  • Persistence and Defense Evasion: Volt Typhoon primarily relies on valid credentials for persistence. Their strong operational security, use of LOTL techniques, and targeted log deletion allow them to maintain long-term, undiscovered persistence.

Technical Analysis of RedMike Exploitation

  • RedMike, a Chinese state-sponsored threat group, has been actively exploiting unpatched internet-facing Cisco network devices.
  • The group targets global telecommunications providers, exploiting vulnerabilities like CVE-2023-20198 and CVE-2023-20273 in Cisco IOS XE software to gain initial access and root privileges.
  • RedMike reconfigures compromised devices, adding a generic routing encapsulation (GRE) tunnel for persistent access and data exfiltration. This activity highlights a strategic intelligence threat, enabling monitoring, data manipulation, and service disruption during geopolitical conflicts.

To defend against Volt Typhoon and similar threats, organizations should implement the following mitigations and best practices:

  • Harden the Attack Surface: Apply patches for internet-facing systems within a risk-informed span of time and prioritize patching critical assets and known exploited vulnerabilities. Apply vendor-provided or industry-standard hardening guidance to strengthen software and system configurations.
  • Implement Robust Logging and Monitoring: Ensure logging is turned on for application, access, and security logs and store logs in a central system. Routinely review application, security, and system event logs, focusing on Windows ESENT Application Logs. Use gait to detect possible network proxy activities and examine VPN or other account logon times, frequency, duration, and locations.
  • Enforce Strong Identity and Access Management: Implement phishing-resistant MFA for all accounts that access company systems, networks, and applications. As part of a broader identity and access management policy, use local accounts only for emergencies and change the passwords after each use. Implement a Role-Based Access Control (RBAC) strategy that assigns users to a specific role with defined and inherited permissions.
  • Secure Network Architecture: Use an out-of-band management network that is physically separate from the operational data flow network. Implement a strict, default-deny ACL strategy to control inbound and egressing traffic and ensure all denied traffic is logged.
  • Incident Response and Preparedness: Create and regularly exercise an incident response plan and implement regular data backup procedures on OT networks. Follow risk-informed guidance in the joint advisory NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems.

Groups like Volt Typhoon and RedMike represent a significant threat to national security and critical infrastructure. Their sophisticated, stealthy, and persistent tactics require a proactive and layered defense strategy. By understanding their TTPs, implementing robust security measures, and fostering a culture of cybersecurity awareness, organizations can significantly reduce their risk exposure to these and other advanced cyber threats.

Chinese Cyber Espionage Timeline

Chinese cyber espionage is a widespread and multifaceted threat, with state-sponsored actors targeting a variety of sectors for intelligence gathering, intellectual property theft, and potential disruption of critical infrastructure.

Volt Typhoon Hacking Group
Volt Typhoon is a relatively lesser-known entity in the vast and murky world of cyber threats, yet its activities have caught the attention of cybersecurity experts and organizations due to their sophisticated and targeted nature. This hacking group has been attributed to a series of cyber espionage campaigns primarily targeting
Breached CompanyBreached Company

Actors and Campaigns:

  • Volt Typhoon: This group has compromised IT environments within the Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors, primarily in the U.S. and its territories. Their activity is not typical cyber espionage; rather, they appear to be pre-positioning themselves on IT networks to enable lateral movement to operational technology (OT) assets, potentially to disrupt functions. The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to operational technology assets to disrupt functions.
  • Flax Typhoon: This group focuses more on civilian targets, engaging in espionage activities across various sectors, including consumer devices and telecommunications networks. In 2024, U.S. authorities disrupted a network of over 200,000 internet-connected devices used by Flax Typhoon for espionage.
  • Salt Typhoon (aka RedMike, FamousSparrow, GhostEmperor): This group has been linked to breaches of major U.S. telecommunications providers, potentially compromising wiretap systems. Salt Typhoon is tracked by other companies as FamousSparrow and GhostEmperor. The group has been active since at least 2019, targeting hotels, government organizations, law firms, and international companies.
  • APT40 (TEMP.Periscope): Linked to China's Ministry of State Security (MSS), this group targets maritime industries and organizations involved in South China Sea disputes, gathering intelligence to support China's military and geopolitical interests.
  • APT41 (Winnti): This group engages in both espionage and financially motivated cybercrime, targeting healthcare, technology, telecommunications, and gaming companies.
  • APT10 (Stone Panda or Cicada): This group targets managed service providers (MSPs), healthcare, and aviation sectors, stealing intellectual property through campaigns like Operation Cloud Hopper.
  • Bronze President (APT31): This group targets government organizations, international entities, and the defense sector to steal intellectual property and sensitive government information.
  • Hafnium: This group gained notoriety in early 2021 for exploiting vulnerabilities in Microsoft Exchange Servers, compromising over 30,000 organizations globally.
  • RedEcho: This group has targeted India's critical infrastructure, including its power sector, for espionage and surveillance.
  • Mustang Panda (APT27): This group targets diplomatic organizations, NGOs, and governmental entities worldwide for long-term espionage.

Techniques and Tactics:

  • Living off the Land (LOTL): Chinese cyber actors often use tools already present in the target environment, such as PowerShell, WMI, and FTP clients, to maintain anonymity and evade detection.
  • Exploiting Known Vulnerabilities: Groups like Volt Typhoon exploit known or zero-day vulnerabilities in public-facing network appliances, such as routers, VPNs, and firewalls, to gain initial access.
  • Credential Theft: Cyber actors aim to obtain administrator credentials within the network, often by exploiting privilege escalation vulnerabilities or accessing insecurely stored credentials. Volt Typhoon achieves full domain compromise by extracting the Active Directory database (NTDS.dit) from the domain controller.
  • Reconnaissance: Extensive pre-compromise reconnaissance is conducted to gather information about the target organization's network architecture, security measures, and staff.
  • Command and Control: Compromised SOHO routers and virtual private servers (VPS) are leveraged to proxy command and control (C2) traffic.

Impact and Implications:

  • Critical Infrastructure: Chinese cyber espionage poses a significant threat to critical infrastructure, with potential for disruptive or destructive cyberattacks.
  • Espionage and Data Theft: Cyber actors target government organizations, international entities, and the defense sector to steal intellectual property and sensitive government information.
  • Privacy Concerns: Breaches of telecommunications providers and wiretap systems raise concerns about the privacy of citizens, as sensitive data and private communications could be compromised.
  • Economic and Military Goals: China's cyber strategy aligns with its broader economic and military goals, making universities and research institutions high-value targets for long-term intelligence gathering and technology acquisition.

Mitigation and Defense:

  • Patching and Vulnerability Management: Apply patches for internet-facing systems and prioritize patching critical vulnerabilities.
  • Multi-Factor Authentication (MFA): Implement phishing-resistant MFA to protect against credential theft.
  • Logging and Monitoring: Ensure logging is turned on for application, access, and security logs, and store logs in a central system.
  • Network Security Best Practices: Harden network devices, implement strict access controls, and monitor for unauthorized configuration changes.
  • Incident Response: Have incident response plans in place and report any suspicious activity to the appropriate authorities.
  • Zero Trust Security Models: Adopt zero-trust security models that assume any user or system could be compromised.
  • Secure by Design: Urge manufacturers to build security into the design, development, and maintenance of devices.

The U.S. government has taken actions to counter Chinese cyber espionage, including sanctions against individuals and entities involved in these activities. International cooperation and information sharing are crucial for effectively countering these persistent threats.

Timeline of Events

  • Mid-2021: Volt Typhoon, a Chinese state-sponsored APT group, becomes active.
  • 2020-2025 Data Breaches evolve in sophistication, but many attackers still rely on proven tactics to exploit vulnerabilities.
  • October 2023: Cisco publishes information about a privilege escalation vulnerability (CVE-2023-20198) in the web UI feature of Cisco IOS XE software.
  • May 2023: CISA, NSA, and FBI disclose information about Volt Typhoon's "Living off the Land" (LOTL) tactics. They note the group has been active for some time targeting critical infrastructure.
  • September 2023: CISA, FBI, and NSA release a joint Cybersecurity Advisory (CSA) detailing activity by cyber actors, known as BlackTech, linked to the People’s Republic of China (PRC).
  • September 2024: Media reports surface about Salt Typhoon, a China-linked threat group, compromising the networks of major U.S. telecommunications providers like Verizon and AT&T. The group is believed to have accessed systems used for wiretapping operations. Salt Typhoon is believed to have compromised at least 80 organizations.
  • Late September 2024: RedMike (Salt Typhoon) compromised the networks of major US telecommunications companies, including Verizon, AT&T, and Lumen Technologies. The activity likely affected telecommunications organizations globally.
  • December 2024 - January 2025: Insikt Group identifies RedMike exploiting unpatched internet-facing Cisco network devices of global telecommunications providers using CVE-2023-20198 and CVE-2023-20273. Over 1,000 devices are targeted.
  • December 2024: CISA and its partners warn that People’s Republic of China (PRC)-affiliated threat actors compromised networks of major global telecommunications providers to conduct a broad and significant cyber espionage campaign.
  • December 4, 2024: CISA and its partners warn that People’s Republic of China (PRC)-affiliated threat actors compromised networks of major global telecommunications providers to conduct a broad and significant cyber espionage campaign.
  • December 2024: RedMike carries out reconnaissance of IP addresses owned by Myanmar-based telecommunications provider, Mytel.
  • December 2024 - January 2025: RedMike scanning and exploitation activity occurred on six different occasions: 20241204, 20241210, 20241217, 20241224, 20250113, 20250123.
  • January 17, 2025: The U.S. Department of the Treasury's OFAC sanctions Sichuan Juxinhe Network Technology Co., Ltd. for their involvement with RedMike activity.
  • February 7, 2024: CISA, NSA, and FBI assess that PRC state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. CISA and the FBI created this guidance based upon recent and ongoing activity targeting small office/home office (SOHO) routers by malicious cyber actors—particularly the People’s Republic of China (PRC)-sponsored Volt Typhoon group.
  • February 7, 2025: Japan's Cabinet approves active cyber defense legislation to strengthen National Cybersecurity.
  • February 13, 2025: Insikt Group publishes a report on RedMike (Salt Typhoon) exploiting vulnerable Cisco devices of global telecommunications providers.
  • Ongoing: CISA issues alerts and guidance regarding Chinese state-sponsored cyber threats.

Cast of Characters

  • Volt Typhoon (Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus): A Chinese state-sponsored APT group known for targeting U.S. critical infrastructure with "living off the land" (LOTL) techniques. They aim to pre-position on IT networks for potential disruptive attacks on OT assets in the event of geopolitical tensions. Active since at least mid-2021.
  • Salt Typhoon (RedMike): Another China-linked APT group. Focuses on targeting telecommunications providers, potentially compromising wiretapping systems. Likely associated with Sichuan Juxinhe Network Technology Co., Ltd.
  • BlackTech: Cyber actors linked to the People’s Republic of China (PRC). Known for tactics, techniques, and procedures (TTPs) and urge multinational corporations to review all subsidiary connections, verify access, and consider implementing zero trust models to limit the extent of a potential BlackTech compromise.
  • Flax Typhoon: A Chinese APT group that leverages a custom version of the notorious Mirai malware.
  • Mustang Panda (APT27): A Chinese state-sponsored hacking group known for targeting diplomatic organizations, NGOs, and governmental entities worldwide. The group is focused on long-term espionage activities and has been linked to Chinese intelligence services.

Read more