Advanced Persistent Threats: Unveiling the Cyber Espionage Tactics of Chinese Hackers

Advanced Persistent Threats Targeting US ISPs

Advanced persistent threats (APTs) linked to Chinese state-sponsored hackers have infiltrated multiple US internet service providers (ISPs), primarily aimed at cyber espionage. A recent WSJ report highlights how the APT group known as Salt Typhoon is believed to have accessed these ISPs in pursuit of sensitive intelligence.

Infiltration Techniques and Vulnerabilities

According to reports, investigators are assessing whether the hackers targeted Cisco Systems routers, critical components in managing internet traffic. Despite Cisco's denial of any specific router involvement in these threats, the breach represents significant vulnerabilities within US cyber infrastructure.

• The Salt Typhoon group is also tracked by Microsoft under the names GhostEmperor and FamousSparrow.
• Unpatched vulnerabilities in Microsoft Exchange Servers have previously enabled these threat actors to gain initial access.

Exploitation of Zero-Day Vulnerabilities

Chinese hackers, particularly those affiliated with the government, frequently exploit zero-day vulnerabilities to maintain persistence. For instance, Volt Typhoon has been observed taking advantage of a zero-day vulnerability in Versa Director, a critical software for managing SD-WAN infrastructure.

Government Response and Cybersecurity Implications

In February, the FBI highlighted the threat activities of Volt Typhoon, noting its compromises across critical infrastructure sectors, including communications and energy.

1. FBI's December 2023 operation showcased the agency's effort to disrupt Volt Typhoon's operations by dismantling a botnet targeting US-based SOHO routers.

It is imperative to address and mitigate these strategies employed by APT groups like Salt Typhoon and Volt Typhoon, as their activities pose severe risks to national security and critical communications.