← threatfilter.dev / all groups / Salt Typhoon
Salt Typhoon
Overview
Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 14 techniques across 10 tactics
Reconnaissance
-
T1590.004Network Topology
Initial Access
Persistence
-
T1098.004SSH Authorized Keys -
T1136Create Account
Defense Impairment
-
T1685.006Clear Linux or Mac System Logs -
T1686Disable or Modify System Firewall
Credential Access
-
T1040Network Sniffing -
T1110.002Password Cracking
Lateral Movement
-
T1021.004SSH
Collection
-
T1602.002Network Device Configuration Dump
Command and Control
-
T1572Protocol Tunneling
Exfiltration
Tools & malware (1)
JumbledPath
Reporting (2)
- Weathering the storm: In the midst of a Typhoon — Cisco Talos
- Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise — US Department of Treasury