- Notorious hacking group Salt Typhoon has likely been targeting telecom organizations
- The researchers identified tactics previously used by the group.
- Salt Typhoon breached up to 8 US telecommunications networks in massive cyber espionage campaign
The well-known Chinese hacking group Salt Typhoon has again been linked to intrusions against telecommunications companies, this time in Europe.
A new report from Darktrace states that the group has been observed “targeting global infrastructure using stealthy techniques such as DLL downloading and zero-day exploits.”
The early-stage intrusion activity detected mirrors previous Salt Typhoon tactics, such as the prolific attacks on up to 8 different telecommunications organizations in a powerful, long-range, multi-year campaign that resulted in the group stealing information from millions of U.S. telecommunications customers using a high-severity Cisco flaw to gain access and eventually collect traffic from the networks they were connected to. the devices.
DLL side loading
In the latest incident, Darktrace assessed with moderate confidence that Salt Typhoon was abusing legitimate tools with stealth and persistence, exploiting a Citrix NetScaler Gateway appliance to gain initial access.
From there, the criminals deployed the Snappybee malware, also known as Deed RAT, which is launched using a technique called DLL sideloading, another tactic commonly used by Chinese threat actors.
“The backdoor was delivered to these internal endpoints as a DLL along with legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace explained.
“This pattern of activity indicates that the attacker relied on DLL sideloading via legitimate antivirus software to execute their payloads. Salt Typhoon and similar groups have a history of employing this technique, allowing them to execute payloads under the guise of trusted software and bypassing traditional security controls.”
Darktrace says the intrusion was identified and remediated before it could escalate beyond the early stages of the attack, neutralizing the threat.
This highlights the vital importance of proactive anomaly-based defense and detection over more traditional signature-based methods, especially given the rise of state-sponsored persistent threat actors.
The best antivirus for all budgets
