The China-linked threat actor known as Salt Typhoon executed a widespread cyber-espionage campaign targeting governmental organizations across North America, Europe, and Asia. The group gained initial access to networks by exploiting a known remote code execution vulnerability in Microsoft SharePoint Server.
According to reports from cybersecurity agencies, Salt Typhoon’s operations are characterized by their focus on intelligence gathering from government entities. The attacks were identified and detailed in advisories issued by organizations including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft.
Exploitation and Attack Infrastructure
The primary entry vector for the attacks was the exploitation of CVE-2019-0604, a critical vulnerability in Microsoft SharePoint. Upon successful exploitation, Salt Typhoon deployed web shells onto the compromised servers. These web shells provided the attackers with persistent access and the ability to execute commands on the target systems.
To maintain control and exfiltrate data, the group utilized a custom backdoor malware referred to as “Mangled Sieve.” The command and control (C2) infrastructure for this campaign was built using a network of compromised Ubiquiti EdgeRouters. This technique allowed the threat actor to route their malicious traffic through legitimate, small office and home office (SOHO) devices, making their activities more difficult to detect and trace.
Global Scope and Espionage Focus
The campaign’s targets were not limited to a single region; governmental bodies on at least three continents were compromised. This global reach highlights the scale and resources of the Salt Typhoon operation. The group, which is also tracked under the alias Volt Typhoon, has been observed primarily targeting U.S. government agencies as part of its intelligence-gathering objectives.
The actions of Salt Typhoon are consistent with a state-sponsored espionage mission, focused on accessing and stealing sensitive information from government networks rather than on direct financial gain. The use of living-off-the-land techniques and compromised network hardware demonstrates a sophisticated approach to maintaining long-term, stealthy access.
Concise Cyber 