Notorious Chinese hacking group Salt Typhoon found lurking in European comms networks

News
By published

Salt Typhoon strikes again - but this time unsuccessfully

Caution sign data unlocking hackers. Malicious software, virus and cybercrime, System warning hacked alert, cyberattack on online network, data breach, risk of website
(Image credit: sarayut Thaneerat/ via Getty Images)
  • Notorious hacking group Salt Typhoon has likely been targeting Telecom orgs
  • Researchers identified tactics previously used by the group
  • Salt Typhoon breached up to 8 US telecom networks in a huge cyber-espionage campaign

Notorious Chinese hacking group Salt Typhoon has been once again linked to intrusions against telecommunications firms - this time in Europe.

A new report from Darktrace claims the group has been observed, "targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits."

The early stage intrusion activity detected mirrors previous Salt Typhoon tactics, such as the prolific attacks on up to 8 different telecom organizations in a far reaching and potent multi-year campaign which resulted in the group stealing information from millions of American telecom customers using a high severity Cisco flaw to gain access and eventually collect traffic from the networks devices were connected to.

DLL side-loading

In the latest incident, Darktrace assessed with moderate confidence that Salt Typhoon abused legitimate tools with stealth and persistence - exploiting a Citrix NetScaler Gateway appliance to obtain initial access.

From there, the criminals deployed Snappybee malware, also known as Deed RAT, which is launched using a technique called DLL side-loading - another tactic commonly used by Chinese threat actors.

“The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace explained.

”This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads. Salt Typhoon and similar groups have a history of employing this technique, enabling them to execute payloads under the guise of trusted software and bypassing traditional security controls.”

Darktrace says the intrusion was identified and remediated before it could escalate beyond the early stages of attack - neutralizing the threat.

This highlights the vital importance of proactive, anomaly-based defense and detection above the more traditional signature-based methods, especially given the rise in persistent, state sponsored threat actors.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.