Salt Typhoon, Exploit Public-Facing Web App, PowerShell, Data Encrypted for Impact
Threat Objects & Tags
New object & Technique Relationships for China-backed espionage group Salt Typhoon, which gained recent attention for reports of its targeting of U.S. telecom companies.
-
Few technical details were reported about the group’s recent attacks, but we published two Campaigns for groups thought to overlap with Salt Typhoon: GhostEmperor & FamousSparrow. Interested users should use these objects in Threat Profiles (Groups do not inherit Campaigns' Techniques in Threat Profiles).
-
Custom weightings could be applied based on the recency of each Campaign (our approach) and/or users' confidence in the overlap between threat clusters reported by different vendors:
-
Surface additional Techniques related to other, similar groups by visiting the Groups List page (“Groups” in the lefthand nav menu) and filtering on metadata like Attribution Country == China, Motivation == Cyber Espionage, and Observed Sectors == Telecommunications. Use Groups' References tabs to evaluate groups likely active more or less recently (each of the Groups published by Tidal (Source == Tidal Cyber) were added in 2024, and others like Volt Typhoon, Aquatic Panda, & APT41 have been updated within the past year.
Threat Profiles: Monthly updates to Tidal’s curated “Major & Emerging Ransomware & Extortion Threats” and “Tidal Trending Techniques” Threat Profiles
-
A large relative increase in reporting volumes generally last month means that many commonly observed Techniques (e.g. Exploit Public-Facing Web App, PowerShell, Data Encrypted for Impact) appear in this month’s Trending Techniques update - a great opportunity to double-check coverage against even mainstay attacker behaviors!