Last Updated: September 4, 2025
For the CISO:
Salt Typhoon is not another headline-grabbing ransomware crew. It is a Chinese espionage group with one clear goal: infiltrate, persist, and quietly extract data of strategic value. They’ve been around since 2020 and are known to be operated by China’s Ministry of State Security with a high level of sophistication. The behavior of this threat actor directly follows the behaviors outlined in the “5 Year Plan” research provided last week.
In February 2025, the Five Eyes nations (US, UK, Canada, Australia, New Zealand) — joined by Japan — issued a rare joint cybersecurity advisory warning of Salt Typhoon’s campaigns. That advisory elevated this group from an “industry problem” to a national security concern, underscoring that governments must take immediate action.
Why This Matters for Government Leaders:
- Escalating activity: In 2025, multiple agencies - including CyberScoop and GovTech - reported Salt Typhoon campaigns against government, higher ed, and IT service providers.
- Vendor exploitation: They breach SaaS, MSP, and CSP providers, then pivot downstream into government tenants.
- Diplomatic targeting: Captive portal hijacks at airports/hotels delivered PlugX malware to officials.
- Cloud abuse: They weaponize cloud identities, adding their own secrets to OAuth apps and silently pulling data through Graph API.
Our Security Operations Center and MDR teams continue to escalate activity linked to Salt Typhoon tactics and tradecraft. This is a real, active intrusion set, not theoretical intelligence.
How to Identify If You’re Being Attacked or Compromised:
Salt Typhoon is stealthy, but not invisible. SOC teams should monitor for these technical indicators:
- Identity Abuse
- Password spray attacks against Office 365/Azure AD.
- New service principals or OAuth app secrets added without change requests.
- Abnormal Graph API access—apps or service principals suddenly downloading large volumes of mail or SharePoint/OneDrive data.
- Endpoint & Network
- IIS worker processes (w3wp.exe) spawning shells or LOLBINs like cmd.exe or powershell.exe.
- Deployment of web shells (Neo-reGeorg) in web directories.
- Signs of LSASS memory access or NTDS.dit extraction attempts.
- Defense Evasion
- Event log clearing (EventID 1102) or timestamp manipulation.
- Use of compromised home-office routers as C2 proxies to blend attacker traffic into “local” IP ranges.
- Malware & Tradecraft
- Discovery of CloudedHope (Go-based Linux RAT) or PlugX variants delivered via DLL side-loading.
- Executables masquerading as AdobePlugins.exe tied to captive portal hijack campaigns.
If any of these patterns surface in your logs, treat them as high-priority escalations.
Recommendations for Governments:
- Act on the Five Eyes advisory: Treat Salt Typhoon as a priority adversary. Ensure your teams have reviewed and implemented the mitigations in the joint alert.
- Patch aggressively: Citrix, Commvault, Ivanti, Palo Alto devices.
- Strengthen identity: Enforce MFA, audit service principals, remove dormant accounts.
- Audit vendor access: Minimize CSP delegated admin rights; apply conditional access policies.
- Centralize logging: Protect logs from tampering, ship them off-host.
- Proactive threat hunting: Use the detection queries below; baseline OAuth/Graph API use.
Technical Deep Dive on Salt Typhoon Tradecraft:
Initial Access
- Exploitation of edge devices
- Citrix NetScaler ADC/Gateway (CVE-2023-3519).
- Commvault CommServe backup software (CVE-2025-3928).
- Ivanti Connect Secure VPN (CVE-2025-0282).
- Palo Alto GlobalProtect VPN (CVE-2024-3400).
- Credential abuse
- Password spray attacks against Azure AD.
- Leaked credentials from public repos (GitHub).
- Adversary-in-the-Middle (diplomatic ops)*
- Captive portal hijacks → AdobePlugins.exe → DLL sideload → CANONSTAGER loader → PlugX (SOGU.SEC). [*Note, this is also seen with Silk Typhoon]
Persistence
- Web shells
- Neo-reGeorg dropped in IIS webroots.
- Custom malware
- CloudedHope (Go-based Linux RAT, anti-analysis, Graph API exfil).
- Cloud abuse
- Service principals & OAuth apps with attacker-added secrets.
Defense Evasion
- Event log clearing (EventID 1102) and timestamp manipulation.
- Tampering/deletion of IIS logs.
- C2 routed through compromised SOHO routers inside victim geographies.
Credential Access
- LSASS memory access (via procdump, comsvcs.dll).
- NTDS.dit dumping (EventIDs 4656/4663).
- Azure AD Connect sync server compromise.
Detection Opportunities
- Windows/Sysmon
- w3wp.exe spawning cmd.exe/powershell.exe.
- EventID 10: suspicious LSASS access.
- EventID 1102: log clearing.
- Cloud/Entra ID
- AuditLogs: “Add service principal credentials.”
- OAuth apps with unusual SharePoint/OneDrive download spikes.
- Global Admin sign-ins from consumer ISPs.
- Network
- Outbound HTTPS to anomalous domains.
- Payload names: AdobePlugins.exe, CANONSTAGER.dll.
Recommendations:
- Patch edge devices immediately (Citrix, Commvault, Ivanti, Palo Alto).
- Harden identity: MFA, audit service principals, remove dormant accounts.
- Apply zero trust to vendors: review delegated CSP rights, enforce conditional access.
- Centralize and protect logs: ship off-host, monitor for tampering.
- Hunt regularly: baseline OAuth/Graph API activity and investigate deviations.
MITRE ATT&CK References:
- T1190 – Exploit Public-Facing Application
- T1078 – Valid Accounts
- T1505.003 – Web Shell
- T1556 – Modify Authentication Process
- T1003.001 – LSASS Memory Dump
- T1070 – Indicator Removal on Host
- T1557 – Adversary-in-the-Middle (Captive Portal Hijack)
Here to Help
Salt Typhoon is a persistent and well-resourced adversary. If you want to understand your exposure and strengthen your defenses, our experts at NuHarbor can help you assess, monitor, and respond before attackers gain ground. Consult with our experts.
Don't miss another article. Subscribe to our blog now.
