Summary
Four major Chinese state-sponsored Advanced Persistent Threat (APT) groups, Volt Typhoon, Salt Typhoon, Flax Typhoon, and Brass Typhoon, are targeting global critical infrastructure and network devices as part of coordinated cyber espionage campaigns. These groups exploit vulnerabilities in network appliances, IoT devices, and software supply chains to maintain persistent access and exfiltrate sensitive data. Their tactics include living-off-the-land (LOTL) techniques, leveraging legitimate tools, and compromising trusted supply chains, emphasizing the need for robust security measures. The campaigns demonstrate China’s focus on espionage and critical infrastructure disruption. RH-ISAC has collected a summary of recent observances and campaigns, in both the public and the RH-ISAC Member Community.
Community Impact
Retail and hospitality sectors are vulnerable to the sophisticated techniques used by Chinese APT groups. Exploiting network devices and IoT systems, these attackers could disrupt operations, steal customer data, or manipulate supply chain systems crucial to these industries. IoT devices, commonly used in retail and hospitality for security cameras and smart devices, are prime targets, increasing the risk of botnet attacks or persistent surveillance.
Mitigating these threats requires a combination of behavioral monitoring, robust patch management, and segmentation of critical systems. RH-ISAC Core Members must regularly audit device configurations, monitor command-line activity for anomalies, and secure IoT and network appliances. These campaigns underscore the importance of a proactive cybersecurity strategy to defend against advanced, state-sponsored actors, and the RH-ISAC has provided the following notable campaign with analysis below for Member awareness.
Campaign Analysis
The campaigns led by Volt Typhoon, Salt Typhoon, Flax Typhoon, and Brass Typhoon illustrate the evolving tactics of Chinese APT groups targeting critical infrastructure globally:
Volt Typhoon focuses on U.S. communications infrastructure, using LOTL techniques and compromised Fortinet devices to extract credentials and maintain stealthy persistence. Their reliance on SOHO routers for traffic proxying and their focus on pre-positioning within systems highlight a strategic, long-term approach to critical infrastructure disruption.
Salt Typhoon has gained recent, significant notoriety for targeting Internet Service Providers (ISPs) to gather sensitive metadata and wiretap data, employing backdoor malware such as GhostSpider and Masol RAT. They exploit known vulnerabilities, including Ivanti Connect Secure, which the RH-ISAC Intelligence Team reported on as recently as 12 October 2024, and ProxyLogon, and use tools like PsExec and WMIC to blend into legitimate network activity. The group’s focus on telcos underlines their role in high-value espionage operations.
Flax Typhoon distinguishes itself by leveraging IoT devices for network access and botnet creation. By exploiting IoT vulnerabilities, the group conducts reconnaissance, exfiltration, and command-and-control operations, often targeting Taiwanese and global entities. Their use of compromised devices like DVRs and cameras for scanning and persistence reflects the growing importance of securing IoT infrastructure.
Brass Typhoon has been linked to a sophisticated cyber campaign targeting the gambling and gaming industry. Over at least six months, APT41 shifted from traditional espionage to financially motivated attacks, using techniques like Phantom DLL Hijacking and WMIC.exe abuse for persistence and evasion. They further deployed sophisticated malware to establish communication with Command-and-Control (C2) servers, allowing them to profile infected systems and target machines within specific VPN subnets for further exploitation. APT41 adapted their tools and tactics based on the security team’s responses, maintaining persistent access to the compromised network for nearly nine months. RH-ISAC Intelligence Team previously reported on this campaign on 22 October 2024.
