{"vars":{"id": "108938:4684"}}

China's State-Sponsored Hacker Group Salt Typhoon Targets Telecom Firms in Southeast Asia with New GhostSpider Malware

Cybersecurity group Trend Micro said that Salt Typhoon, also known as Earth Estrie, has used a backdoor malware called GhostSpider, which is designed to evade detection and carry out long-term espionage.
By Gaurav Santosh Nov 27, 2024, 13:23 IST

China's state-sponsored hacker group, Salt Typhoon, has been targeting telecommunications companies in Southeast Asia using previously unseen malware, according to a new and worrying development. Cybersecurity group Trend Micro said that Salt Typhoon, also known as Earth Estrie, has used a backdoor malware called GhostSpider, which is designed to evade detection and carry out long-term espionage.

Salt Typhoon has been in the spotlight following its involvement in recent China-linked espionage activities, compromising multiple U.S. telecom firms, including major names like Verizon, AT&T, and T-Mobile. The group’s attacks primarily targeted customer data, focusing on individuals involved in government or political activities. Now, their focus has shifted to the Southeast Asian telecom sector.

According to Trend Micro's report, the malware of the group, called GhostSpider, is a multi-modular backdoor. This is highly adaptable; attackers can deploy or update malware modules independently, depending on the needs of the target. It complicates detection and makes it hard to analyze malware.

Salt Typhoon Campaign in Southeast Asia

The hacker group has successfully compromised more than 20 organizations in different sectors, including telecom, technology, and transportation. In their new attack campaign, they have compromised telecom firms in Southeast Asia, using vulnerabilities in public-facing servers to gain initial access.

After gaining access into a network, Salt Typhoon uses legitimate tools for lateral movement within the system; it finally deploys the GhostSpider and other malware for long-term monitoring. Masol, a remote access trojan that has been in use by the group since 2019, was updated to target Linux devices of these Southeast Asian countries.

Challenges in detecting Salt Typhoon

The modular nature of GhostSpider allows Salt Typhoon to keep updating their attack tools without triggering the detection mechanisms, making it difficult for cybersecurity researchers to fully assess the full scope and functionality of the malware. The sophistication of the tactics used by hackers indicates the complexity and scale of Salt Typhoon's operations, which are continually evolving.

Protection Measures for Telecom Firms

This will require more and more comprehensive strategies in place to secure cyberattacks within the telecom industry, especially patching of vulnerabilities, monitoring networks with high intensity, and implementing threat detection systems with higher sensitivities for combating threats such as Salt Typhoon.

Salt Typhoon's recent campaign in Southeast Asia reminds one very starkly of the burgeoning threat posed by state-sponsored hackers. GhostSpider malware proves to be a large shift in the group's tactics, therefore underlining the need for businesses to up their defense and remain vigilant about their evolving cyber threats.

Also read: UPI Scam Alert: Thieves use app to steal money, warns Tamil Nadu police