- Notorious hacking group Salt Typhoon has likely been targeting Telecom orgs
- Researchers identified tactics previously used by the group
- Salt Typhoon breached up to 8 US telecom networks in a huge cyber-espionage campaign
Notorious Chinese hacking group Salt Typhoon has been once again linked to intrusions against telecommunications firms – this time in Europe.
A new report from Darktrace claims the group has been observed, “targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits.”
The early stage intrusion activity detected mirrors previous Salt Typhoon tactics, such as the prolific attacks on up to 8 different telecom organizations in a far reaching and potent multi-year campaign which resulted in the group stealing information from millions of American telecom customers using a high severity Cisco flaw to gain access and eventually collect traffic from the networks devices were connected to.
DLL side-loading
In the latest incident, Darktrace assessed with moderate confidence that Salt Typhoon abused legitimate tools with stealth and persistence – exploiting a Citrix NetScaler Gateway appliance to obtain initial access.
From there, the criminals deployed Snappybee malware, also known as Deed RAT, which is launched using a technique called DLL side-loading – another tactic commonly used by Chinese threat actors.
“The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter,” Darktrace explained.
”This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads. Salt Typhoon and similar groups have a history of employing this technique, enabling them to execute payloads under the guise of trusted software and bypassing traditional security controls.”
Darktrace says the intrusion was identified and remediated before it could escalate beyond the early stages of attack – neutralizing the threat.
This highlights the vital importance of proactive, anomaly-based defense and detection above the more traditional signature-based methods, especially given the rise in persistent, state sponsored threat actors.
The best antivirus for all budgets
