Salt Typhoon: New Evidence Reveals Years of Chinese Cyber-Espionage
Researchers at Silent Push have uncovered infrastructure linked to the Chinese cyber-espionage groups Salt Typhoon and UNC4841. The newly identified sample includes 45 previously unpublished domains, some of which were registered as early as May 2020. This discovery refutes the notion that Salt Typhoon’s high-profile attacks on U.S. telecommunications operators in 2024 marked its debut—evidence now shows the group has been active since at least 2019.
According to analysts, Salt Typhoon operates under the direction of China’s Ministry of State Security and shares characteristics with campaigns tracked under the names Earth Estries, FamousSparrow, GhostEmperor, and UNC5807. The infrastructure overlaps with that of UNC4841, a group notorious for exploiting the Barracuda ESG zero-day vulnerability CVE-2023-2868 (CVSS score 9.8).
A review of registration data revealed that 16 domains were created using Proton Mail addresses tied to fictitious owners and fabricated physical addresses. The oldest identified domain, onlineeylity[.]com, was registered on May 19, 2020, under the false identity of “Monica Burch,” supposedly residing in Los Angeles.
Analysis of IP addresses associated with these domains showed that many pointed to high-density hosting environments, where dozens or even hundreds of domains are bound to a single IP. In contrast, on lower-density infrastructure (where one IP hosts only a few domains), the earliest observable activity dates back to October 2021.
Silent Push has advised that any organizations potentially within the scope of Chinese intelligence collection should review DNS logs spanning the past five years for queries to these domains or their subdomains, and closely examine network traffic directed to the associated IP addresses during the attackers’ periods of activity.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
