Malware linked to Salt Typhoon used to hack telcos around the world | CyberScoop<\/title> <meta name=\"description\" content=\"A report from Trend Micro details the sophisticated ways Salt Typhoon carries out its operations on telecom companies around the world.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/salt-typhoon-us-telecom-hack-earth-estries-trend-micro-report\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Malware linked to Salt Typhoon used to hack telcos around the world\"> <meta property=\"og:description\" content=\"A report from Trend Micro details the sophisticated ways Salt Typhoon carries out its operations on telecom companies around the world.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/salt-typhoon-us-telecom-hack-earth-estries-trend-micro-report\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-11-26T02:05:51+00:00\"> <meta property=\"article:modified_time\" content=\"2024-11-26T02:05:53+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg\"> <meta property=\"og:image:width\" content=\"2121\"> <meta property=\"og:image:height\" content=\"1414\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Greg Otto\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@gregotto\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1730999764g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82736\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82736\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsalt-typhoon-us-telecom-hack-earth-estries-trend-micro-report%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsalt-typhoon-us-telecom-hack-earth-estries-trend-micro-report%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82736 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/salt-typhoon-us-telecom-hack-earth-estries-trend-micro-report\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.384210526316\">\n<div class=\"single-article__header-content\" readability=\"34.421917808219\">\n<p> A report from Trend Micro details the highly sophisticated ways Salt Typhoon carries out its operations. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82736\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg 2121w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg?resize=2048,1365 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"34.471724787936\"><body readability=\"69.572131147541\"><\/p>\n<p>Those with firsthand knowledge of Salt Typhoon\u2019s hack of several U.S. telecommunications companies have called the group\u2019s actions some of the most sophisticated cyber-espionage efforts they have ever seen. A prominent security vendor may have unearthed some malware that shows why. <\/p>\n<p>Trend Micro <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/k\/earth-estries.html\">released a report Monday<\/a> that gives details on the tactics, techniques and procedures used by Salt Typhoon, which the company referred to as one of \u201cthe most aggressive Chinese advanced persistent threat (APT) groups\u201d currently in operation. <\/p>\n<p>While the company explicitly states that it does not have any evidence the malware detailed in the report was used in the telecom hacks, Trend Micro researchers write that several pieces of malware used by the group have been used to infiltrate other telecommunications companies and government entities around the world. Tracked as \u201cEarth Estries,\u201d Trend Micro says this group, which is also known as FamousSparrow, GhostEmperor, and UNC2286, has used the malware in the U.S., Asia-Pacific, Middle East, and South Africa.<\/p>\n<p>The report focuses on how the group gains access, what malware is deployed, and how it stays hidden on infiltrated systems. The group capitalizes on several known vulnerabilities, including:<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>From there, Trend Micro says the group likes to use legitimate tools like Windows Management Instrumentation Command (WMIC.exe) or PsExec to penetrate further into networks. <\/p>\n<p>Once inside, the group uses malware described as \u201cbackdoors,\u201d which Trend Micro refers to as GhostSpider, SnappyBee, and Masol RAT. Each of these tools exhibits a high level of sophistication, enabling the group to stay hidden within compromised networks. GhostSpider in particular is a multi-modular backdoor designed to deploy various components for specific functions, enhancing its adaptability and making it harder to detect.<\/p>\n<p>The company also details the group\u2019s intricate command and control infrastructure, which Trend Micro says is managed by different specialized teams. This setup allows the group to carry out different tasks, is crucial to allowing them to run several missions at once, and provides additional resilience. <\/p>\n<p>The ability to remain in networks has been a key point in why government officials are increasingly concerned about the intrusion on U.S. telecom networks. Sen. Mark Warner, D-Va., <a href=\"https:\/\/www.washingtonpost.com\/national-security\/2024\/11\/21\/salt-typhoon-china-hack-telecom\/\">told the Washington Post<\/a> last week that the hack is \u201cthe worst telecom hack in our nation\u2019s history \u2013 by far\u201d and the attackers are still in the systems. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While these TTPs can be considered highly sophisticated, the threat group isn\u2019t creating all of its malware from scratch. Trend Micro says the group takes advantage of malware-as-a-service (MaaS) platforms to enhance their strategies, using these services to deploy a variety of malicious tools while saving time and resources. This approach allows them to focus on planning and executing sophisticated attacks while leveraging the latest malware technology.<\/p>\n<p>The espionage campaign reportedly targeted the phones of top members of the Donald Trump campaign \u2014 including the president-elect himself \u2014 and top U.S. officials. While few details have been made public, <a href=\"https:\/\/cyberscoop.com\/house-panels-briefing-chinese-hacker-telecom-breaches\/\">a slate of congressional panels<\/a> have been briefed on the campaign\u2019s details. <\/p>\n<p>You can read the full report on <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/k\/earth-estries.html\">Trend Micro\u2019s research blog<\/a>. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.9519725557461\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/11\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world-1.jpg?w=640&ssl=1\" alt=\"Greg Otto\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Greg Otto<\/h4>\n<p> Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/salt-typhoon-us-telecom-hack-earth-estries-trend-micro-report\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Malware linked to Salt Typhoon used to hack telcos around<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3171,271,78,624,302,117,1865,168,2953,288,3172],"tags":[3173,277,86,629,306,119,1867,169,2956,294,3174],"class_list":["post-6400","post","type-post","status-publish","format-standard","hentry","category-backdoor","category-china","category-cybersecurity","category-espionage","category-geopolitics","category-government","category-living-off-the-land","category-malware","category-salt-typhoon","category-threats","category-trend-micro","tag-backdoor","tag-china","tag-cybersecurity","tag-espionage","tag-geopolitics","tag-government","tag-living-off-the-land","tag-malware","tag-salt-typhoon","tag-threats","tag-trend-micro"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/backdoor\/\" rel=\"category tag\">backdoor<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/espionage\/\" rel=\"category tag\">espionage<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/government\/\" rel=\"category tag\">Government<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/living-off-the-land\/\" rel=\"category tag\">living off the land<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/salt-typhoon\/\" rel=\"category tag\">Salt Typhoon<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/trend-micro\/\" rel=\"category tag\">Trend Micro<\/a>","tag_info":"Trend Micro","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6400","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6400"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6400\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6400,"date":"2024-11-25T20:05:51","date_gmt":"2024-11-26T02:05:51","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82736"},"modified":"2024-11-25T20:05:51","modified_gmt":"2024-11-26T02:05:51","slug":"malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/25\/malware-linked-to-salt-typhoon-used-to-hack-telcos-around-the-world\/","title":{"rendered":"Malware linked to Salt Typhoon used to hack telcos around the world"},"content":{"rendered":"