This cyber threat intelligence investigation covers the who, what, why, when, and how of the recent state-sponsored Chinese cyberattacks on U.S. telecommunications providers, as well as how they fit into a broader picture of cyber-espionage that displays years of rising geopolitical tensions.

This is my first in-depth CTI investigation, so let me know what you think!

Created by SirPicklJohn (Ayden Parsons)

A story from the Intelphreak CTI Report

Connect with me!

BRIEFING:

Government-sponsored Chinese threat actors have infiltrated U.S. critical infrastructure to intercept politically-relevant communications and prepare for massive supply-chain cyberattacks (i.e., Cyberwar), should U.S.-China geopolitical tensions rise. Recent Chinese attacks on telecommunications companies have raised awareness and display the growing severity of this issue, though in reality this threat has existed for several years. These attacks are broadly attributed to Salt Typhoon, one of four major Chinese APT groups relevant to this campaign. Specifically, a major Beijing-based cybersecurity company is responsible for some of Salt Typhoon’s operations, and is also known to sponsor cyber ranges and hacking competitions that funnel talent to China’s intelligence agencies.

These threat actors employ layers of stealth by proxying through massive botnets comprised of SOHO routers and IoT devices (IP, NVR, and DVR cameras, NAS storage devices, etc.), as well as using LOTL techniques.

These threat actors also expand influence not only through direct infiltration of the network perimeter, but by exploiting business relationships and poisoning/finding exploits in software update and firmware supply chains.

A sobering statistic: The above undoubtedly contributes to the ISC2 statistic cited by the House Committee on Homeland Security that 75% of cyber workers say that the threat landscape is the most difficult it has ever been in the last five years. This is compounded by the fact that, at the same time, 48% of cyber workers say they don't have adequate organizational support or resources.^{^1}

FOR INVESTIGATORS:

These threat actors know much of the information that U.S. investigators have on them. Chinese hackers have widespread access to U.S. infrastructure, and have been known to access and copy court orders and requests for federal court surveillance as stated in an interview with the director of the NCSC. This includes information that China can use to better mask its intelligence operatives or pass disinformation to U.S. intelligence.^{^14} While classified, it has been inferred that these orders also include intelligence collected under the Foreign Intelligence Surveillance Act.^{^15}

A large, publicly-traded Beijing-based cybersecurity company called the Integrity Technology Group has strong evidence linking it to both direct espionage and botnet-management activity attributed to "Flax Typhoon". This company also sponsors and hosts cyber ranges and hacking competitions that are known to be a major part of talent-acquisition programs for China's intelligence agencies.

FOR DETECTION ENGINEERS

Skip to the bottom of this report for IP addresses, files, and tools used in these cyberattacks!

> What's Happening?

The what, how, and when.

In recent news, you may have seen headlines like "Chinese hackers stole large amounts of Americans' phone data...", "Chinese hackers are deep inside America's telecoms networks", or even a joint announcement between CISA and FBI that warns Americans to switch to using encrypted communications, all detailing how a threat actor named "Salt Typhoon" has compromised U.S. internet service providers and telecommunications companies, accessing the call and text metadata from American civilians.

The context is that at least eight U.S. telecom providers (and more carriers worldwide) have been compromised for "months or longer" by Salt Typhoon, and may still be maintaining their access.^{^13^16} Named telecoms that were compromised include AT&T, Verizon, Lumen Technologies, and T-Mobile, and while the majority of compromised data includes call and text metadata, some cases have reported that actual content and audio snippets of calls have been intercepted.^{^2}

Salt Typhoon is one of four major Chinese APTs related to campaigns on the United States^{^3}:

• Salt Typhoon - ISP Intrusions and Persistence: Active since at least 2019, this APT is responsible for the recent ISP intrusions and persistence in U.S. telecom providers, as well as compromising internet-connected devices for stealth and persistence. It exploits known-vulnerabilities and deploys backdoor malware (GhostSpider, SnappyBee, Masol RAT, and the Demodex Windows rootkit), while utilizing anti-forensics and anti-analysis techniques. Historically, they have also infiltrated hotels and government agencies across the world.^{^5}
• Volt Typhoon - Stealth and Espionage: Active since 2021, this APT prioritizes stealth and espionage in targeting critical infrastructure. It avoids using malware, leverages LOTL techniques (i.e., using PowerShell and legitimate Windows tools), exploits zero-day vulnerabilities, and proxies its traffic through a botnet of SOHO routers and compromised VPS's to launch attacks from devices both located physically near and in the same IP space as its victims.^{^4^7} A 24-page, multinational joint advisory amongst various government security departments states that this actor can "evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and respones (EDR) products...and limit the amount of activity that is captured in default logging applications".^{^4}
• Flax Typhoon - Hijacking and Pivoting Off IoT Devices - Originally focused on compromising Taiwanese government, education, critical manufacturing, and IT organizations, but now expanding its operations to Africa, Southeast Asia, and North America, this actor is primarily known for installing the Mirai-based botnet-making malware on SOHO routers (much like Volt Typhoon), in addition to IoT devices (including IP cameras, DVRs, and NAS devices) with x86, MIPS, ARM, PPC, and SH4 processors. As of June 2024, the botnet contained over 385,000 U.S. devices, and over 1.2 million worldwide (with 260,000 worldwide and 126,000 in the U.S. being actively infected.).
• Velvet Ant - Supply Chain Attacks: Arguably the least-known APT in this list, this actor's focus is on targeting critical software updates and firmware supply chains, so as to indirectly infiltrate larger networks.

Very-important to note here is that all of these Typhoon groups have been observed to share VERY similar TTPs, especially in the usage of LOTL techniques (using legitimate pre-installed tools already on the victim device for malicious purposes), their use of botnets of SOHO routers and IoT devices, and exploiting supply-chain relationships.

> Finding Who Did It

Answering the "why" and attributing the "who".

As mentioned before, the four major Chinese APT groups targeting the U.S. in recent cyberattacks bear striking resemblance to each other in their TTPs. This fact should be kept in mind when there are inherent difficulties in attributing cyberattacks to specific APTs, and in the words of the open-source, peer-reviewed QIL journal, "attribution in cyberspace is quite complex due to the technical dimension of cyber attacks but also due to anonymity, the potential for impersonation, the multi-layer nature of cyber attacks, the ability to hijack devices or use private and secure networks to commit attacks"^{^9}.

I preface this section with this fact because, while we can't necessarily know just how interconnected these four APT groups are with each other, we know they are very similar, we know there is overlap in their operations, and we do know the real-world entity behind major operations and cyberattacks attributed to the Flax Typhoon APT. A publically released affidavit (written statement of truth) from the FBI made this attribution from the following data:^{^8}

• The C2 servers running the Mirai botnet (operating on the subdomains of w8510[.]com) communicated with upstream management servers, and those upstream management servers hosted an application (named "Sparrow") for managing those C2 servers and their bots. This included assigning tasks to bots, downloading or uploading files, remotely executing commands, growing the botnet, conducting cyber attacks, or accessing the information stored in a MySQL database that the upstream servers hosted (which contained logs, including how many computers were in the botnet, as well as the IP addresses that regularly accessed the Sparrow application). The IP addresses that accessed the Sparrow application include those attributed to Flax Typhoon hackers. The source code for the Sparrow application was stored at https[:]//git.li-exp[.]com/krlab/project_maque.git, as well as https[:]//git.li-exp[.]com/[REDACTED-NAME-1]/sparrow/-/jobs/42911 (these repositories contained a "vulnerability arsenal" used to conduct attacks, with an additional reference to "KRLab" in it), and "KRLab" is one of three brands that the publicly-traded security company "Integrity Technology Group" (headquartered in Beijing, China) uses.
• Integrity Technology Group applied for a patent for technology to install and configure multiple proxy services that a network of nodes (like a botnet) could use to obfuscate the true location of the nodes' activities. The patent detailed the proxy nodes would consist of the EXACT processor architectures that the compromised devices in the Mirai-botnet had (x86, MIPS, ARM, PPC, and SH4 architectures), with the inventors being KRLab and [REDACTED-NAME-1].

This attribution was further reiterated in another multinational joint-advisory on the People's Republic of China^{^10}, as well as a speech from the Director of the FBI^{^11}. I highly recommend you read the FBI affidavit (footnote 8) for more details, and don't just rely on my summary here!

In a report by Recorded Future News that covered the formal accusation of Integrity Technology Group for running Flax Typhoon's botnet by the Director of the FBI, further details were provided:^{^12}

• Integrity Technology Group, worth $318 million with $56 million in revenues (as of the writing of the report, September 18th, 2024), runs the "Matrix Cup" hacking competition, in addition to various cyber ranges that are involved in Chinese intelligence agency talent identification.
• The chairman of Integrity Technology Group has openly admitted that the company has, for years, collected intelligence and performed reconnaissance for various Chinese government security agencies.

> MITIGATIONS

A recap of the initial brief, including recommendations and mitigations:

Government-sponsored Chinese threat actors have infiltrated U.S. critical infrastructure to intercept politically-relevant communications and prepare for massive supply-chain cyberattacks (i.e., Cyberwar), should U.S.-China geopolitical tensions rise. Recent Chinese attacks on telecommunications companies have raised awareness and display the growing severity of this issue, though in reality this threat has existed for several years.

• MITIGATION: Use PERSEC, encrypted communication platforms like Signal, and good cybersecurity hygiene to protect yourself and your families' information, data, network, devices, and communications, especially when big providers get compromised.

These threat actors employ layers of stealth by proxying through massive botnets comprised of SOHO routers and IoT devices (IP, NVR, and DVR cameras, NAS storage devices, etc.), as well as using LOTL techniques.

• MITIGATION: Behavioral analysis, in addition to deploying the full range of basic-to-advanced cybersecurity defenses (changing default credentials, patching, centralized logging, system hardening, disabling unnecessary software, hack tool and fileless malware detection, etc...).

These threat actors also expand influence not only through direct infiltration of the network perimeter, but by exploiting business relationships and poisoning/finding exploits in software update and firmware supply chains.

• MITIGATION: Zero-day vulnerability defense, third-party and supply chain risk management, and patch management.

The above undoubtedly contributes to the ISC2 statistic cited by the House Committee on Homeland Security that 75% of cyber workers say that the threat landscape is the most difficult it has ever been in the last five years. This is compounded by the fact that, at the same time, 48% of cyber workers say they don't have adequate organizational support or resources.

• MITIGATION: Upskill your current cybersecurity workforce so their experience doesn't turn stale, garner more support from leadership, and encourage regular consumption of cybersecurity news and threat intelligence.

> IP Addresses, Hashes, and Tools Used

For the Detection Engineers and Firewall Administrators

Note that this information, including other items and indicators of compromise not mentioned here, is included in the 24-page international join advisory mentioned earlier in this report.

IP Addresses:

• 23.236.68.193
• 37.9.35.89
• 91.216.190.156
• 91.216.190.247
• 91.216.19.74
• 92.38.185.43-47

Malicious Files and Executables

• Legitimate Tools (used in LOTL):
  • certutil, dnscmd, ldifde, makecab, net user/group/use, netsh, nltest, ntdsutil, PowerShell, req query/save, systeminfo, tasklist, wevtutil, wmic, xcopy
• File Locations:
  • C:\Users\Public\Appfile and subdirectories
  • C:\Users\Perflogs and subdirectories
  • C:\Windows\Temp and subdirectories
  • backup.bat, cl64.exe, update.bat, Win.exe, billagent.exe, nc.exe, update.exe, WmiPrvSE.exe, billaudit.exe, rar.exe, vm3dservice.exe, WmiPreSV.exe, cisco_up.exe, SMSvcService.exe, watchdogd.exe
  • Randomly created files in the format C:\Windows\[a-zA-Z]{8}.exe
• Hacktools:
  • Secretsdump.py (Impacket)
  • Invoke-NinjaCopy (Powershell)
  • DSInternals (Powershell)
  • FgDump
  • Metasploit

Also, note that compromised entities can seek guidance from CISA's eviction guidance for compromised Active Directory/M365 networks (under the "Eviction" section).

Thank you for reading!

References

1. Chairman Green Introduces “Cyber PIVOTT Act” to Tackle Government Cyber Workforce Shortage, Create Pathways for 10,000 New Professionals (September 24, 2024)
2. 'Large number' of Americans' metadata stolen by Chinese hackers, senior official says (December 4, 2024)
3. The Rise of Chinese APT Campaigns: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant (October 24, 2024)
4. Joint Cybersecurity Advisory - People's Republic of Chine State-Sponsored Cyber Actor Living off the Land to Evade Detection (June 1, 2023)
5. Salt Typhoon - Wikipedia (December 2024)
6. Volt Typhoon - MITRE ATT&CK (May 21, 2024)
7. Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (May 24, 2023)
8. FBI Affidavit and Search and Seizure Warrant (September 9, 2024)
9. Cyber Attribution Agencies: A Sceptical View - QIL (July 31, 2024)
10. Joint Advisory - People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations (September 18, 2024)
11. Director Wray's Remarks at the 2024 Aspen Cyber Summit (September 18, 2024)
12. Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks (September 18, 2024)
13. Wyden proposes bill to secure US telecoms after Salt Typhoon hacks (December 10, 2024)
14. Counterintelligence director reveals extent of damage from China telecom hacks (December 12, 2024)
15. Investigation into Chinese hacking reveals ‘broad and significant’ spying effort, FBI says (November 13, 2024)
16. Chinese hack of global telecom providers is 'ongoing,' officials warn (December 3, 2024)

CONNECT

Let's Connect!