NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • ARC-AMPE Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Industry Insights
    • Security Operations
    • Cybersecurity Technology
    • Advisory and Planning
    • Security Testing
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • Managed Services
    • NuHarbor
    • Cyber Talent
September 4, 2025

Salt Typhoon: What Every Public Sector Leader and Security Team Needs to Know

Justin Fimlaid Justin Fimlaid
Salt Typhoon: What Every Public Sector Leader and Security Team Needs to Know

Last Updated: September 4, 2025

For the CISO:

Salt Typhoon is not another headline-grabbing ransomware crew. It is a Chinese espionage group with one clear goal: infiltrate, persist, and quietly extract data of strategic value. They’ve been around since 2020 and are known to be operated by China’s Ministry of State Security with a high level of sophistication. The behavior of this threat actor directly follows the behaviors outlined in the “5 Year Plan” research provided last week. 

In February 2025, the Five Eyes nations (US, UK, Canada, Australia, New Zealand) — joined by Japan — issued a rare joint cybersecurity advisory warning of Salt Typhoon’s campaigns. That advisory elevated this group from an “industry problem” to a national security concern, underscoring that governments must take immediate action. 

Why This Matters for Government Leaders:

  • Escalating activity: In 2025, multiple agencies - including CyberScoop and GovTech - reported Salt Typhoon campaigns against government, higher ed, and IT service providers.
  • Vendor exploitation: They breach SaaS, MSP, and CSP providers, then pivot downstream into government tenants. 
  • Diplomatic targeting: Captive portal hijacks at airports/hotels delivered PlugX malware to officials.
  • Cloud abuse: They weaponize cloud identities, adding their own secrets to OAuth apps and silently pulling data through Graph API.

Our Security Operations Center and MDR teams continue to escalate activity linked to Salt Typhoon tactics and tradecraft. This is a real, active intrusion set, not theoretical intelligence. 

How to Identify If You’re Being Attacked or Compromised: 

Salt Typhoon is stealthy, but not invisible. SOC teams should monitor for these technical indicators: 

  • Identity Abuse
    • Password spray attacks against Office 365/Azure AD.
    • New service principals or OAuth app secrets added without change requests. 
    • Abnormal Graph API access—apps or service principals suddenly downloading large volumes of mail or SharePoint/OneDrive data. 
  • Endpoint & Network
    • IIS worker processes (w3wp.exe) spawning shells or LOLBINs like cmd.exe or powershell.exe. 
    • Deployment of web shells (Neo-reGeorg) in web directories. 
    • Signs of LSASS memory access or NTDS.dit extraction attempts. 
  • Defense Evasion
    • Event log clearing (EventID 1102) or timestamp manipulation. 
    • Use of compromised home-office routers as C2 proxies to blend attacker traffic into “local” IP ranges. 
  • Malware & Tradecraft
    • Discovery of CloudedHope (Go-based Linux RAT) or PlugX variants delivered via DLL side-loading. 
    • Executables masquerading as AdobePlugins.exe tied to captive portal hijack campaigns. 

If any of these patterns surface in your logs, treat them as high-priority escalations. 

Recommendations for Governments: 

  1. Act on the Five Eyes advisory: Treat Salt Typhoon as a priority adversary. Ensure your teams have reviewed and implemented the mitigations in the joint alert.
  2. Patch aggressively: Citrix, Commvault, Ivanti, Palo Alto devices. 
  3. Strengthen identity: Enforce MFA, audit service principals, remove dormant accounts. 
  4. Audit vendor access: Minimize CSP delegated admin rights; apply conditional access policies. 
  5. Centralize logging: Protect logs from tampering, ship them off-host. 
  6. Proactive threat hunting: Use the detection queries below; baseline OAuth/Graph API use. 

Technical Deep Dive on Salt Typhoon Tradecraft:

Initial Access

  • Exploitation of edge devices
    • Citrix NetScaler ADC/Gateway (CVE-2023-3519).
    • Commvault CommServe backup software (CVE-2025-3928).
    • Ivanti Connect Secure VPN (CVE-2025-0282).
    • Palo Alto GlobalProtect VPN (CVE-2024-3400).
  • Credential abuse
    • Password spray attacks against Azure AD.
    • Leaked credentials from public repos (GitHub). 
  • Adversary-in-the-Middle (diplomatic ops)*
    • Captive portal hijacks → AdobePlugins.exe → DLL sideload → CANONSTAGER loader → PlugX (SOGU.SEC). [*Note, this is also seen with Silk Typhoon] 

Persistence 

  • Web shells
    • Neo-reGeorg dropped in IIS webroots.
  • Custom malware
    • CloudedHope (Go-based Linux RAT, anti-analysis, Graph API exfil).
  • Cloud abuse
    • Service principals & OAuth apps with attacker-added secrets. 

Defense Evasion 

  • Event log clearing (EventID 1102) and timestamp manipulation.
  • Tampering/deletion of IIS logs.
  • C2 routed through compromised SOHO routers inside victim geographies. 

Credential Access

  • LSASS memory access (via procdump, comsvcs.dll).
  • NTDS.dit dumping (EventIDs 4656/4663).
  • Azure AD Connect sync server compromise. 

Detection Opportunities 

  • Windows/Sysmon 
    • w3wp.exe spawning cmd.exe/powershell.exe.
    • EventID 10: suspicious LSASS access.
    • EventID 1102: log clearing. 
  • Cloud/Entra ID 
    • AuditLogs: “Add service principal credentials.” 
    • OAuth apps with unusual SharePoint/OneDrive download spikes. 
    • Global Admin sign-ins from consumer ISPs. 
  • Network 
    • Outbound HTTPS to anomalous domains. 
    • Payload names: AdobePlugins.exe, CANONSTAGER.dll. 

Recommendations: 

  1. Patch edge devices immediately (Citrix, Commvault, Ivanti, Palo Alto). 
  2. Harden identity: MFA, audit service principals, remove dormant accounts. 
  3. Apply zero trust to vendors: review delegated CSP rights, enforce conditional access. 
  4. Centralize and protect logs: ship off-host, monitor for tampering. 
  5. Hunt regularly: baseline OAuth/Graph API activity and investigate deviations. 

MITRE ATT&CK References: 

  • T1190 – Exploit Public-Facing Application 
  • T1078 – Valid Accounts
  • T1505.003 – Web Shell
  • T1556 – Modify Authentication Process
  • T1003.001 – LSASS Memory Dump
  • T1070 – Indicator Removal on Host
  • T1557 – Adversary-in-the-Middle (Captive Portal Hijack) 

Here to Help

Salt Typhoon is a persistent and well-resourced adversary. If you want to understand your exposure and strengthen your defenses, our experts at NuHarbor can help you assess, monitor, and respond before attackers gain ground. Consult with our experts. 

Don't miss another article. Subscribe to our blog now. 

Subscribe Now

 

Included Topics

  • Industry Insights,
  • Advisory and Planning,
  • Security Operations
Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

Security Testing 5 min read
Red Teaming vs. Penetration Testing
Read More
Industry Insights 10 min read
China’s 14th Five-Year Plan Ends This Year: A Guide for Public Sector Cybersecurity Leaders
China’s 14th Five-Year Plan Ends This Year: A Guide for Public Sector Cybersecurity Leaders
Read More
2 min read
Seven Ways to Secure Remote Access Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.