Initial Discovery
Timeline of Events Leading to the Discovery of Salt Typhoon’s Activities
The discovery of Salt Typhoon's activities unfolded over several months, with the attack beginning as early as 2020. However, the full scope of the breach was not realized until late 2024, when irregularities in telecommunications networks prompted further investigation.
- Initial Indicators: The first signs of compromise were subtle and involved anomalous network traffic detected by intrusion detection systems (IDS) monitoring telecom traffic. Suspicious data transfers and unexpected network configurations raised red flags, but it was not until further forensic analysis that the true scale of the breach was uncovered.
- Primary Detection: The breach was first detected by cybersecurity researchers at a private security firm, who were called in after telecom providers reported unusual network behaviors. These behaviors were traced to unpatched vulnerabilities in Cisco routers that were exploited by the attackers to infiltrate sensitive telecommunications systems.
- Internal Awareness: The breach was initially detected by security teams within the affected telecommunications companies themselves, who had noticed irregularities in internal monitoring systems, such as unauthorized access attempts and abnormal communications data. These anomalies led to deeper investigation and prompted a response by external cybersecurity experts.
How Cybersecurity Researchers and Affected Companies Detected the Breach
The breach came to light as cybersecurity firms and affected companies began cross-referencing multiple anomalous events across telecom networks. Researchers employed traffic analysis tools, log file analysis, and malware sandboxing techniques to identify the presence of malware and suspicious files within the affected systems.
Researchers at leading firms, such as FireEye and CrowdStrike, observed a pattern of activity suggesting the presence of a rootkit and the use of custom malware designed to remain undetected over extended periods. These signs led them to link the intrusion to a state-sponsored actor, consistent with the tactics used by China-based threat groups.
One key breakthrough occurred when researchers identified communication channels between the compromised systems and external command-and-control servers, indicating the presence of an advanced, persistent cyber actor likely backed by a nation-state.
Technical Indicators and Analysis
The Role of Malware Analysis, Anomaly Detection, and Traffic Monitoring in Uncovering the Hack
Malware Analysis: When researchers isolated the malicious files, detailed malware analysis revealed the use of Demodex, a rootkit specifically designed to establish undetected, persistent access to the compromised systems. Rootkits like Demodex are highly effective at hiding in plain sight by altering system processes and masking their activity from security tools.
Anomaly Detection: Telecom network monitoring systems flagged anomalous patterns of traffic, which prompted further investigation. These anomalies included unauthorized data exfiltration, irregularities in traffic routing, and sudden spikes in data transmissions to foreign IP addresses. Advanced anomaly detection systems flagged these deviations as potential breaches, but the scale and sophistication of the attack required a concerted effort by cybersecurity professionals to link these events.
Traffic Monitoring: Traffic monitoring tools were used to trace unauthorized communications back to external servers controlled by Salt Typhoon. The malware's covert communication allowed the attackers to receive instructions and send out stolen data without triggering any obvious network alarms.
Indicators of Compromise (IOCs): The attack’s technical footprint included known Indicators of Compromise (IOCs), such as specific file hashes, IP addresses, and command-and-control domains previously associated with Chinese threat actors. These indicators, once identified, provided researchers with concrete evidence linking the attack to a state-sponsored actor.
Key Indicators that Pointed to the Involvement of a State-Sponsored Actor
The use of advanced malware such as the Demodex rootkit and the specific tools employed in the attack were key indicators pointing to a nation-state actor. The sophistication of these tools and the persistence with which they operated suggested a level of technical expertise and resources that are typically associated with state-sponsored cyber espionage.
Another key indicator was the targeting of critical infrastructure—in this case, telecommunications providers, which are of immense strategic value for any nation. Cyber espionage campaigns aimed at gathering sensitive political, economic, and military data are typically orchestrated by government-backed groups seeking to gain leverage on foreign governments.
Furthermore, the scale of the operation and its focus on long-term access and covert data exfiltration—often seen in campaigns orchestrated by intelligence agencies—further solidified the belief that Salt Typhoon was working on behalf of the Chinese government.
Cooperation and Investigations
Collaboration Between Cybersecurity Firms, Intelligence Agencies, and Affected Companies
Once the breach was detected, cybersecurity firms like FireEye, CrowdStrike, and Palo Alto Networks worked closely with the affected telecommunications companies to investigate the full scope of the hack. This collaboration was essential in identifying the methodology of the attackers and understanding how they maintained access over such a long period.
Threat intelligence groups contributed by cross-referencing malware samples and correlating attack patterns with previous attacks attributed to China-based threat groups. By sharing information and working together, these organizations were able to piece together the timeline of events and confirm the scale of the breach.
Intelligence agencies, such as the FBI, NSA, and CISA, played a critical role in facilitating cooperation between private companies and other national security agencies. Their involvement was crucial in tracking the operations back to the Chinese government, linking the hack to the Ministry of State Security (MSS).
Additionally, private firms used their own intelligence networks to warn other global telecom providers and critical infrastructure entities about the vulnerabilities, helping prevent further exploitation of similar tactics.
Evidence of Salt Typhoon’s Operations and Their Footprint in the Telecommunications Network
Through forensic analysis, investigators uncovered Salt Typhoon’s operational footprint in the affected telecommunications networks. This included a comprehensive set of tactics, tools, and procedures (TTPs) employed by the group. These included data exfiltration, backdoor installation, and manipulation of communication traffic, all characteristic of advanced, state-backed espionage operations.
Evidence also pointed to Salt Typhoon's ability to maintain persistent access to compromised systems, using tools like rootkits and web shells. This ongoing presence allowed the group to continue extracting data over a significant period, suggesting that they were not merely infiltrating systems but were systematically surveilling and collecting sensitive information.
Investigators also discovered data logs showing the group’s efforts to hide their presence in the network by erasing digital traces and overwriting security logs. This stealth tactic is consistent with the behavior of state-sponsored actors who operate with impunity and seek to avoid detection by traditional security measures.
Public Disclosure
When and How the Hack Was Publicly Disclosed to the Media and the General Public
After the hack was fully uncovered, the U.S. government and private cybersecurity firms collaborated to disclose the breach to the public. In late 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and other agencies issued public statements outlining the breach, its scale, and the tactics used by Salt Typhoon.
The breach was first reported to the media after cybersecurity firms had completed their initial analysis and confirmed the full extent of the attack. News outlets, including The New York Times and The Guardian, reported on the hack, shedding light on the ongoing surveillance efforts and the involvement of a Chinese state-backed actor.
Public Reports: The disclosure included detailed reports on the methods used by Salt Typhoon to infiltrate telecom networks and maintain access over extended periods. These reports were meant to raise awareness within both the private sector and government bodies about the growing threat of state-sponsored cyber espionage.
How the Hack Was Revealed in Official Cybersecurity Reports
The breach was officially documented in cybersecurity reports by CISA and private cybersecurity firms. These reports detailed the malware samples, the attack vector, and the sophisticated tools employed by the hackers. CISA’s report highlighted the vulnerabilities in telecom infrastructure that were exploited by Salt Typhoon, urging companies to bolster their cybersecurity measures and implement patch management protocols.
Additionally, FireEye and CrowdStrike published technical papers and post-mortem analyses of the attack, providing in-depth coverage of the malware and TTPs used by Salt Typhoon. These reports were shared with affected parties and became part of the broader cybersecurity knowledge base to help prevent future attacks.
The discovery of the Salt Typhoon hack marked a pivotal moment in understanding the scale and sophistication of state-sponsored cyberattacks. Through careful malware analysis, anomaly detection, and cooperation between cybersecurity firms, intelligence agencies, and affected companies, the breach was uncovered. Public disclosure of the hack served to heighten awareness about the vulnerabilities in critical infrastructure, and the incident set the stage for increased cybersecurity awareness and reform across global telecom networks.