Salt Typhoon
Threat Content Highlights
Threat Objects
-
-
- New Campaign object added related to Chinese espionage actor Salt Typhoon following a high-profile report from Trend Micro researchers. Salt Typhoon made headlines in recent months for attacks on U.S. telecommunications operators, but the report highlights how the group has targeted a wide range of sectors & geographies, demonstrating its relevance to organizations beyond just those based in the United States or belonging to the telecom industry.
-
- We’ve added four Salt Typhoon-linked Campaigns in recent weeks. A hallmark of the group’s (and similar China-backed espionage actors’) activity involves exploiting vulnerabilities in network devices like firewalls, VPNs, & routers (see T1190, T1068, and T1133), underscoring the importance of vulnerability-related defensive capabilities. But Salt Typhoon campaigns have shared other common post-exploit TTPs, such as the use of WMI (T1047), service execution (T1569.002), and Windows Services for persistence (T1543.003) – all Techniques related to myriad capabilities in the Tidal Product Registry, especially ones that may yield detection or hunting opportunities.