Salt Typhoon hacks highlight vulnerabilities to Chinese attacks

The recent cyberattacks dubbed "Salt Typhoon" have brought renewed focus on the persistent threat posed by hacking groups linked to China. These cybercriminals have reportedly infiltrated networks belonging to critical infrastructure providers in the United States, raising alarms about the vulnerabilities in both public and private sectors.

Sean Deuby, Principal Technologist at Semperis, has provided commentary on the issue, stressing that the scope and intent of these attacks should not come as a surprise. "It should surprise no one that hacking groups linked to China have again stealthily infiltrated the networks of critical infrastructure providers in the U.S. The threat their hackers pose to democratic nations is massive," he said.

Deuby further warned that these state-sponsored cyberattacks are a wakeup call for organisations, ranging from water treatment plants and airports to oil and gas companies, healthcare providers, and internet service providers (ISPs). "Public and private sector companies such as water treatment plants, airports, oil & gas companies, healthcare organisations, and ISPs: you are in China's crosshairs," he added.

The motivation behind these cyberattacks is clear, according to Deuby. "When China's digital armies of hackers wake up each morning, their singular goal is to infiltrate, surveil, and compromise public and private sector entities in the U.S. and abroad," he stated. This aligns with recent warnings from the Biden administration about increased attacks from groups like Volt Typhoon, which have been targeting operators of U.S. water treatment plants.

Beijing's plausible deniability regarding involvement in the Salt Typhoon attacks has been met with scepticism. "I'm not surprised Beijing is claiming plausible deniability in conducting the Salt Typhoon campaign against ISPs; their denial of involvement is hogwash and everyone including their government knows it. Their denial is step 1 in their hacking operation playbook," Deuby asserted.

He also recalled previous incidents that underline the ongoing cyber struggle between the U.S. and China. "Last year's hacking of State Department emails prior to Secretary Blinken's visit to Beijing is another reminder that both countries continue playing the dangerous game of cat and mouse," Deuby mentioned. The email breach was aimed at intelligence gathering to uncover the Biden administration's strategies, indicating the persistent nature of these cyber espionage activities.

According to Deuby, combating such sophisticated cyber threats is not straightforward. "Today, there is no silver bullet that will solve the cybersecurity challenges facing public and private sector organisations. Well-trained hacking teams like the ones conducting Salt Typhoon are skilled and persistent and their goal is to breach a network and work stealthy for as long as necessary until they achieve their goal of theft and/or disruptions to critical services," he noted.

One consistent element across these cyber campaigns is the use of identity exploitation for initial access, propagation, and privilege escalation. "For example, Volt Typhoon harvested Active Directory-based credentials from Fortinet internet-facing devices for initial access," Deuby highlighted. He recommended several measures for organisations to fortify their defences, emphasising the importance of protecting mission-critical systems.

Deuby advocated for continuous threat hunting, increased security audits, employee security awareness training, and securing identity systems like Active Directory as critical steps. "Organisations should prioritise protecting these mission-critical systems that are always targeted by threat actors, whether they're nation state actors or cybercriminals. This includes around the clock threat hunting, increasing security audits, organising security awareness training for employees, and locking down their identity system, likely Active Directory because it's a hacker's highway," Deuby advised.

The commentary from Semperis underscores the urgent need for both public and private sector entities to bolster their cybersecurity measures in the face of escalating threats from state-sponsored hacking groups.