Threat Research

Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat

DTIdomain
Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat

Salt Typhoon is a PRC-aligned, MSS-directed cyber espionage program that has targeted global telecommunications, defense-adjacent networks, and critical infrastructure since at least 2019, using router/rootkit implants, bespoke malware, and contractor-enabled domain/infrastructure provisioning to collect VoIP configs, lawful intercept logs, and subscriber metadata. Public indictments and leaks link Salt Typhoon to contractors and front companies including i‑SOON, Sichuan Juxinhe, and Shanghai Heiying, with named operators Yin Kecheng and Zhou Shuai implicated in operational roles. #SaltTyphoon #i-SOON #YinKecheng #ZhouShuai #SichuanJuxinhe #ShanghaiHeiying

Keypoints

  • Salt Typhoon is a Ministry of State Security (MSS)-aligned program active since at least 2019, focused on long-term SIGINT collection from global telecommunications and defense-adjacent networks.
  • The group compromises network edge devices (routers, VPN gateways, firewalls) and maintains long-dwell persistence using firmware/rootkit implants (e.g., Demodex, SigRouter) to harvest VoIP configs, call-detail records, and lawful intercept data.
  • Operations are heavily enabled by a contractor ecosystem—notably i‑SOON, Sichuan Juxinhe, Beijing Huanyu Tianqiong, and Sichuan Zhixin Ruijie—that provides domain registration, leased infrastructure, tooling, and plausible deniability.
  • Salt Typhoon has been tied to large-scale intrusions across the U.S., U.K., EU, Taiwan, and other regions, including confirmed breaches of multiple U.S. telecom firms and state National Guard networks.
  • Infrastructure tradecraft includes bulk domain registrations using ProtonMail and fabricated U.S. personas, clustering on shared name servers (OrderBox/PDR, MonoVM), and use of commercial DV SSL certs (GoDaddy, Sectigo), creating attributional pivots despite OPSEC aims.
  • Named individuals Yin Kecheng and Zhou Shuai are indicted and sanctioned; Yin is assessed as a technical/infrastructure operator and Zhou as a broker/data reseller—each showing distinct but complementary roles in Salt Typhoon operations.
  • Defensive tracking can exploit repetitive infrastructure patterns (fake registrants, shared NS/IP clusters, SSL issuers, ProtonMail reuse) to detect and disrupt the group’s scalable, contractor-driven campaigns.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Exploitation of routers, firewalls, and VPN gateways to gain initial access (“Exploitation of router/firewall CVEs, configuration hijacking”).
  • [T1078 ] Valid Accounts – Use of stolen VPN, SIP, and SSO credentials to access target networks (“Use of stolen VPN/SIP/SSO credentials”).
  • [T1059 ] Command and Scripting Interpreter – Remote web shells and scripting (e.g., China Chopper) for command execution (“China Chopper, shell access”).
  • [T1203 ] Exploitation for Client Execution – Leveraging client-side vulnerabilities on network devices to execute custom router code (“Custom router vulnerabilities”).
  • [T1601.002 ] Implant Internal Image – Firmware/rootkit persistence on routers and firewalls (Demodex) (“Firmware/rootkit persistence (Demodex)”).
  • [T1547 ] Boot or Logon Autostart Execution – Modified router startup configs to ensure autorun of implants (“Modified router startup configs”).
  • [T1068 ] Exploitation for Privilege Escalation – Rootkit/system hook exploitation to escalate privileges on compromised devices (“Demodex/rootkit system hooks”).
  • [T1027 ] Obfuscated Files or Information – Use of custom shell scripts and encrypted tools to evade analysis (“Custom shell scripts, tool encryption”).
  • [T1014 ] Rootkit – Deployment of rootkit implants on networking gear to remain covert (“Demodex”).
  • [T1036 ] Masquerading – Renaming router/system binaries and disguising implants as legitimate services (“Renamed router/system binaries”).
  • [T1003 ] Credential Dumping – Extraction of VoIP admin credentials and SSO tokens from device stores (“Extraction of VoIP admin creds, SSO tokens”).
  • [T1082 ] System Information Discovery – Reconnaissance via CLI and custom tools to map systems and services (“Recon via CLI and custom netstat-like tools”).
  • [T1046 ] Network Service Scanning – SIP/VPN/VLAN mapping to discover telecom service endpoints (“SIP/VPN/VLAN mapping”).
  • [T1021 ] Remote Services – Lateral movement leveraging VPN tunnels and trusted ISP connections (“VPN tunnel exploitation, internal pivots”).
  • [T1602 ] Data from Configuration Repository – Collection of VoIP, SIP, and router configuration data (“VoIP, SIP, router config dump”).
  • [T1056 ] Input Capture – SIP interception and packet sniffing for communications metadata (“Potential SIP interception, packet sniffing”).
  • [T1041 ] Exfiltration Over C2 Channel – Encrypted DNS/HTTPS beaconing and C2 channels for exfiltration (“DNS beaconing, encrypted TCP exfil”).
  • [T1567.002 ] Exfiltration Over Web Service – Staging data to external web panels for retrieval (“Staging to external web panels”).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Use of DNS and HTTPS for C2 and data transfer (“DNS, HTTPS, TCP 443 C2”).
  • [T1105 ] Ingress Tool Transfer – Deployment of shells and firmware updates to push router implants (“Shells, updates for router implants”).

Indicators of Compromise

  • [Domains ] Contractor-registered/staging domains used for C2 and staging – dateupdata[.]com, solveblemten[.]com, and about 40+ additional domains (e.g., availabilitydesired.us, e-forwardviewupdata[.]com).
  • [Registrant Personas ] Fake U.S. identities used for Whois registration – “Shawn Francis”, “Monica Burch”, “Tommie Arnold” (used across multiple domains).
  • [Email Providers ] Registration/OPSEC tooling – protonmail.com used in ~47% of domain registrations; ProtonMail addresses tied to Whois records.
  • [Name Servers / Hosts ] Shared NS and VPS clustering – irdns.mars.orderbox-dns.com, ns4.1domainregistry.com, earth.monovm.com (common authoritative NS/hosts supporting multiple Salt Typhoon domains).
  • [IPs ] Infrastructure IP clusters linked to registrar/VPS providers – 162.251.82.125, 162.251.82.252 (OrderBox/PDR infrastructure), and 172.64.53.3.
  • [SSL Certificates ] Commercial DV cert patterns – GoDaddy Secure Certificate Authority – G2 and Sectigo RSA DV Secure Server CA observed across actor domains (e.g., CN *.myorderbox.com, www.solveblemten.com).
  • [Malware/Hashes ] Router/rootkit and web shell examples (partial/public sample placeholders) – Demodex (SHA256 sample: 6a2f9a…e3b1b7a), SigRouter (SHA256 sample: d23cb5…af3f8b2), China Chopper web shell (MD5: e99a18c428cb38d5f260853678922e03); note: full classified hashes not publicly released.
  • [Exploited CVEs ] Known vulnerable products exploited – CVE-2023-20198 (Cisco IOS XE Web UI), CVE-2023-35082 (Ivanti Connect Secure), and Palo Alto PAN-OS GlobalProtect series (CVE-2024-3400 series).

Read more: https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint