- Notorious hacking group Salt Typhoon likely targets telecommunications organizations
- Researchers identified tactics previously used by the group
- Salt Typhoon hacked up to 8 US telecommunications networks in massive cyberespionage campaign
The notorious Chinese hacker group Salt Typhoon has once again been linked to intrusions against telecommunications companies – this time in Europe.
A new report from Darktrace claims that the group has been observed “targeting global infrastructure using stealth techniques such as DLL sideloading and zero-day exploits.”
The early-stage detected intrusion activity mirrors previous Salt Typhoon tactics, such as prolific attacks against up to 8 different telecommunications organizations during a large and powerful multi-year campaign that resulted in the theft of information from millions of U.S. telecommunications customers using a high-severity Cisco vulnerability to access and ultimately collect the traffic from the networks to which the devices were connected.
Sideloading DLLs
In the latest incident, Darktrace assessed with moderate confidence that Salt Typhoon abused legitimate tools with stealth and persistence, exploiting a Citrix NetScaler Gateway appliance to gain initial access.
From there, the criminals deployed Snappybee malware, also known as Deed RAT, which is launched using a technique called DLL sideloading, another tactic commonly used by Chinese threat actors.
“The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace explained.
“This activity pattern indicates that the attacker relied on sideloading DLLs through legitimate antivirus software to execute their payloads. Salt Typhoon and similar groups have a history of using this technique, allowing them to execute payloads under the guise of trusted software and bypassing traditional security controls.”
Darktrace claims that the intrusion was identified and remediated before it could extend beyond the early stages of the attack, thereby neutralizing the threat.
This highlights the vital importance of proactive anomaly-based defense and detection over more traditional signature-based methods, especially given the increase in persistent and state-sponsored threat actors.
The best antivirus for every budget
