New Salt Typhoon domains discovered dating back 5 years - businesses urged to check DNS logs

News
By published

Dozens of domains used as part of C2 infrastructure were discovered

China
Image credit: Shutterstock (Image credit: Shutterstock)
  • Silent Push uncovered 45 domains used by Chinese APT groups for long-term cyber-espionage
  • Domains were registered with fake identities and linked to low-density IPs for stealthy C2 operations
  • Organizations are urged to review five years of DNS logs for signs of compromise

Security researchers recently found 45 domains, some years old, that were used as part of Salt Typhoon cyber-espionage campaigns.

Earlier this week, cybersecurity outfit Silent Push published an in-depth report after discovering a couple dozen unreported domains that were part of command-and-control (C2) infrastructure used by Chinese APT groups to maintain long-term, stealthy access to compromised systems.

Besides Salt Typhoon, a group tracked as UNC4841 apparently also used the same domains, which enabled them to remotely manage malware, exfiltrate data, and persist inside networks without detection.

Checking DNS logs

By analyzing WHOIS and SOA records, Silent Push found domains dating back to May 2020, some of which were registered using fake personas such as Shawn Francis or Monica Burch. Others were registered using ProtonMail addresses, often with nonexistent US-based postal addresses.

Some domains spoofed legitimate entities, such as newhkdaily[dot]com, which may have been used for psychological operations, or propaganda, the researchers stressed.

“The domains date back several years, with the oldest registration activity occurring in May 2020, further confirming that the 2024 Salt Typhoon attacks were not the first activity carried out by this group,” they said in the report.

Silent Push also said that the domains shared low-density IP addresses, meaning they were sparsely populated and likely dedicated to malicious activity.

The company is now urging all organizations to search their DNS logs and telemetry data, going back five years, for any signs of activity involving the 45 newly identified domains, or their subdomains.

That includes looking for DNS requests to any of the listed domains, connections to associated IP addresses (especially during the time when the domains were active), as well as patterns that match the low-density IP infrastructure described in the report.

Even though the infrastructure is likely no longer active, historical DNS data can reveal past compromises or ongoing persistence, and organizations that find matches can take steps to investigate, contain, and remediate any lingering threats.

Via The Hacker News

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.