Server hardware merging with China flag showing Chinese hackers in ISPs

Chinese Hackers Found Prowling US ISPs And Stealing Data

A new report from the Wall Street Journal cites insider government sources in warning that Chinese hackers have been actively targeting US ISPs, and have gained access to at least a “handful” of them.

The hackers, a state-backed team referred to as “Salt Typhoon,” were spotted stealing data and planting backdoors and other capabilities meant for use in future cyber attacks. This news closely follows an FBI warning about another Beijing-linked group called “Flax Typhoon” that wields a gigantic botnet against an assortment of targets in rival nations.

Waves of Chinese hackers test US defenses

The report did not name specific ISPs impacted by the campaign beyond implying that it was a relatively small amount. The intrusions appear to be serious, however, and tie in with current activities by the assorted other “Typhoon” groups of Chinese hackers that have a focus on penetrating US government agencies, critical infrastructure and academic research.

Without any official details available about Salt Typhoon, it is impossible to draw a clear connection between all of these campaigns. But Director of Security Research John Dwyer noted in an interview with The Register that Chinese hackers are deploying a “clear strategy” to identify and exploit choke points in the US that could be used for logistical disruptions in the event of a head-on conflict between the two countries.

Chinese hackers are likely targeting ISPs primarily as a means of reconnoitering bigger targets. Privileged access to ISPs could give them the ability to track employees of target companies, but the WSJ report also indicates they are looking to plant disruptive measures to cut off internet access that could be activated later. Chinese hackers generally look to achieve persistent access to the systems they penetrate, though to date this has been mostly for the purpose of quietly extracting more data over time.

There are conflicting reports that the Chinese hackers focused on vulnerabilities in Cisco routers to penetrate the ISPs. One of the WSJ sources said that this was a targeted point of entry, but Cisco has responded to the story by denying that any of its routers were involved.

Though Salt Typhoon is a new name in the media, it represents a group that has been active for at least a few years. The Chinese hackers were responsible for a breach on Microsoft in 2021 that involved Exchange Server vulnerabilities. Microsoft has previously been tracking the group as “FamousSparrow” and “GhostEmperor.” It has an established history of combing for unpatched disclosed vulnerabilities, for example being one of the more active threat groups in pursuing Log4J opportunities.

China consistently denies involvement in attacks on the critical infrastructure and government agencies of other countries, and claims that the accusations are fabricated and an attempt to smear its reputation. The accusations against it are hardly limited to the US, however, with numerous other countries now claiming that they have caught Chinese hackers making attempts in their territories.

ISPs the latest in ongoing critical infrastructure campaign

The attack on US ISPs is just part of an extended campaign that appears to have ramped up along with tensions over Taiwan. One of the biggest developments was Microsoft’s January report on the Volt Typhoon group, another team of Chinese hackers that has been working for years to infiltrate the US military and the critical infrastructure that provides vital services to it. The belief is that the team will likely try to shut down internet connectivity, power, water and communications should a military conflict in the region erupt. That group also focuses on unpatched disclosed vulnerabilities, focusing heavily on a known flaw in Versa’s SD-WAN software.

The FBI ended up taking out some of Volt Typhoon’s botnet capability in December of last year, but other groups of Chinese hackers remain highly active. A group called Brass Typhoon focuses on compromising organization in the Asia-Pacific region, with the dual purpose of positioning for a potential Taiwan conflict and stealing military and energy company files. Another, called Mustang Panda, specifically focuses on communications companies around the world. China also seems to have stepped up its use of private sector contractors in its nation-state hacking programs, though a February report that exposed the extent of these operations indicated that the government is not always entirely happy with the results it is getting from these outfits.

Tensions in the Taiwan Strait flared up again at the start of 2024 with the election of President Lai Ching-te in Taipei, who has taken a more hardline and provocative stance about Taiwanese independence from China than his predecessors. A military conflict in the region remains unlikely due to the extreme risk it would pose to Beijing, but the Chinese government is clearly making preparations for the possibility. Sean Deuby, Principal Technologist at Semperis, warns that this is now a reality for potentially impacted private organizations: “When China’s digital armies of hackers wake up each morning, their singular goal is to infiltrate, surveil, and compromise public and private sector entities in the U.S. and abroad. In fact, before this latest revelation the Biden administration warned U.S. governors that nefarious actors such as China’s Volt Typhoon cyber group were increasing their attacks on the operators of U.S. water treatment plants. I’m not surprised Beijing is claiming plausible deniability in conducting the Salt Typhoon campaign against ISPs; their denial of involvement is hogwash and everyone including their government knows it. Their denial is step 1 in their hacking operation playbook.”

“Today, there is no silver bullet that will solve the cybersecurity challenges facing public and private sector organizations. Well-trained hacking teams like the ones conducting Salt Typhoon are skilled and persistent and their goal is to breach a network and work stealthy for as long as necessary until they achieve their goal of theft and/or disruptions to critical services,” added Deuby.