Cybersecurity researchers at Silent Push have uncovered a sophisticated Chinese espionage operation linking two prominent threat actors, Salt Typhoon and UNC4841, revealing previously unreported infrastructure used to target government and corporate networks across more than 80 countries.
The discovery of 45 malicious domains dating back to 2020 demonstrates the extensive reach and long-term persistence of these state-sponsored Chinese Advanced Persistent Threat (APT) groups.
Silent Push threat analysts identified a comprehensive network of command and control infrastructure through detailed analysis of domain registration patterns and WHOIS data.
Cybersecurity researchers at Silent Push have uncovered a Salt Typhoon’s malware tools, including the Demodex rootkit, Snappybee, and Ghostspider backdoors.
The research team discovered that multiple domains shared common registration characteristics, particularly the use of ProtonMail email addresses.
These email addresses were used to register domains under fake personas with nonexistent U.S. addresses, including fictitious identities like “Tommie Arnold” in Miami, Florida, and “Monica Burch” in Los Angeles, California.
Through Start of Authority (SOA) record analysis and cross-referencing WHOIS databases, researchers expanded their findings to include domains registered as early as May 2020, indicating that the 2024 telecommunications breaches represented just one phase of a multi-year campaign.
We can attempt to see if any other domains have been registered with these unique email addresses using our WHOIS dataset in the Silent Push Web Scanner.
The oldest identified domain, onlineeylity.com, was registered by the “Monica Burch” persona over five years ago, demonstrating the threat actors’ commitment to long-term operational security.
Global Telecommunications Infiltration
Salt Typhoon, also known by aliases including “GhostEmperor,” “FamousSparrow,” and “Earth Estries,” operates under the direction of China’s Ministry of State Security (MSS).
The group gained international attention following its successful infiltration of at least nine major U.S. telecommunications companies during 2024, along with similar operations targeting telecom infrastructure in over 80 countries worldwide.
The group avoids traditional social engineering tactics, instead focusing on technical exploitation of software vulnerabilities to gain initial network access.
The scope of Salt Typhoon’s telecommunications breach was unprecedented, providing the threat actors with access to metadata affecting nearly every American mobile phone user.
More concerning, the group successfully compromised systems used for court-authorized wiretapping, potentially exposing sensitive law enforcement surveillance operations.
The breach included access to communications metadata for over one million U.S. mobile users, representing one of the most significant foreign intelligence penetrations of American telecommunications infrastructure.
Salt Typhoon employs sophisticated attack methodologies, primarily exploiting zero-day vulnerabilities and previously unknown security flaws in public-facing servers.
Historical analysis reveals that Salt Typhoon previously exploited remote code execution vulnerabilities in business software to compromise hotels, government agencies, and private companies globally.
Chinese APT Coordination
The investigation revealed significant infrastructure overlap between Salt Typhoon and UNC4841, another Chinese state-sponsored threat actor best known for exploiting a zero-day vulnerability in Barracuda Email Security Gateway Appliances during 2023.
UNC4841’s tactics, techniques, and procedures (TTPs) closely mirror those employed by Salt Typhoon, suggesting either operational coordination or shared resources between the groups.
Analysis of registration data showed that UNC4841 utilized similar fake personas and ProtonMail addresses, including fictitious “Geralyn Pickens” identity.
The infrastructure analysis revealed nine domains associated with UNC4841, several of which had not been previously reported in cybersecurity research.
These domains shared common characteristics with Salt Typhoon infrastructure, including the use of identical name servers and similar registration timing patterns.
The connection between these groups raises significant questions about the organizational structure of Chinese state-sponsored cyber operations.
The shared infrastructure suggests either direct coordination between separate units or the possibility that both designations refer to different operational phases of the same overarching Chinese intelligence program.
| Threat Actor | Primary Target | Known Malware | Infrastructure Overlap |
|---|---|---|---|
| Salt Typhoon | Telecommunications, Government | Demodex, Snappybee, Ghostspider | 45+ domains, shared name servers |
| UNC4841 | Email Security, Corporate Networks | Barracuda exploit tools | 9+ domains, common registration patterns |
The comprehensive analysis identified 45 previously unreported domains spanning multiple years of operations, with many utilizing high-density IP addresses and domain parking services to maintain operational security.
By examining domain registration patterns, SOA records, and WHOIS data correlation, researchers can identify previously unknown threat actor infrastructure and better understand the scope and timeline of sophisticated cyber espionage campaigns.
Low-density IP addresses were identified as being of particular concern, with several domains showing evidence of being redirected to security sinkholes by researchers or law enforcement agencies.
Silent Push’s investigation methodology demonstrates the value of systematic infrastructure analysis in tracking advanced persistent threat groups.
The discovery underscores the persistent and evolving nature of Chinese state-sponsored cyber operations, with implications extending far beyond individual security incidents to encompass broader concerns about foreign intelligence penetration of critical infrastructure and telecommunications networks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
