China's Salt Typhoon cyber spies are deep inside US ISPs

Updated Another Beijing-linked cyberspy crew, this one dubbed Salt Typhoon, has reportedly been spotted on networks belonging to US internet service providers in stealthy data-stealing missions and potential preparation for future cyberattacks.

The Wall Street Journal on Wednesday reported the breaches, citing "people familiar with the matter." The newspaper didn't name the compromised ISPs, but said "a handful" had been broken into by this new Chinese group that investigators are calling Salt Typhoon.

While the US Cybersecurity and Infrastructure Security Agency did not immediately respond to The Register's inquiries about Salt Typhoon and the alleged ISP break-ins, the news follows a series of similar network intrusions that the Feds and private researchers have tied to Chinese government snoops.

A week ago, FBI Director Christopher Wray revealed his agency and international law enforcement disrupted a 260,000-device botnet controlled by a different Beijing-linked goon squad: Flax Typhoon.

This group had been building the Mirai-based botnet since 2021, and most recently targeting US critical infrastructure, government, and academics, according to Wray. 

Typhoon season hits

In a related security advisory, government agencies accused the Flax Typhoon crew of amassing a SQL database containing details of 1.2 million records on compromised and hijacked devices that they had either previously used or were currently using for the botnet.

As recently as August, another Typhoon gang — Volt Typhoon — was accused of hiding in American networks after exploiting a high-severity bug in Versa's SD-WAN software.

Back in February, the US government confirmed that this same Chinese crew comprised "multiple" US critical infrastructure orgs' IT networks in America in preparation for "disruptive or destructive cyberattacks" against those targets.

Also last week, Binary Defense revealed details of how it uncovered Chinese state-sponsored spies inside a global engineering firm's network where they had been snooping around for four months.

The infosec shop's Director of Security Research John Dwyer spoke exclusively to The Register about the intrusion, which he said has been attributed to an unnamed People's Republic of China team, whose motivation appeared to be espionage and blueprint theft. 

"I can't really comment on the connection between the incidents, but I can say that given the uptick in Chinese-linked attacks against critical infrastructure supply chains, ISPs, and core internet devices there is a clear strategy at play where attackers are aiming to identity and exploit logical choke points in our society to take control of the flow of information and supplies," he told The Register today when asked about a possible Salt Typhoon connection.

• Chinese spies spent months inside aerospace engineering firm's network via legacy IT
• FBI boss says China 'burned down' 260,000-device botnet when confronted by Feds
• US says China's Volt Typhoon is readying destructive cyberattacks
• US proposes ban on Chinese, Russian connected car tech over security fears

Terry Dunlap, a former US National Security Agency offensive analyst, told The Register that while he doesn't have direct knowledge of the most recent cyber intrusion, "it makes sense for US adversaries to target ISPs due to the large volume and variety of comms moving in and out of ISPs."

"Supply chain infiltration by our adversaries has been a problem I've seen since 2010, specifically with Chinese security cameras and other embedded IoT devices," added Dunlap, chief security strategist at IoT security company NetRise.

And, he noted, it should have been spotted earlier. "Why did it take so long for people to discover this? I've known this type of behavior has been happening for years. Why is the US just now waking up to this long established trend in adversarial TTPs?" Those being tactics, techniques, and procedures.

The Salt Typhoon report "is another example of our adversaries embedding themselves deep within the US infrastructure," Dunlap said. "I believe this is another component of China's 100-Year Strategy."®

Updated to add at 0210 UTC, September 26

CISA Executive Assistant Director for Cybersecurity Jeff Greene told us the agency is aware of the report of the compromised ISPs, and said that China is known to be infiltrating all manner of critical targets.

"CISA and our partners continue to emphasize the risk posed by PRC state-sponsored cyber actors, who have compromised the IT environments across multiple critical infrastructure sectors and organizations," he said in a statement.

"We encourage all organizations to review our latest advisories and guidance, to include our joint Cybersecurity Advisory on identifying and mitigating living off the land techniques, and take action, as appropriate."