Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
State-sponsored Chinese threat actor observed targeting government and military networks in Australia and abroad.
The Australian Signals Directorate’s Australian Cyber Security Centre has joined a raft of international cyber agencies to warn of state-sponsored Chinese hackers targeting the networks of telco, government, military infrastructure, and logistics networks worldwide.
The PRC-sponsored hacker is attributed under a range of names depending on the security vendor, but is known as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor.
The advisory – jointly released by agencies in the Five Eyes intelligence alliance in addition to agencies from the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain – says that the advanced persistent threat, or APT, has targeted entities in “the United States, Australia, Canada, New Zealand, the United Kingdom, and other areas globally”.
The hackers are known to target vulnerabilities in Ivanti, Palo Alto Networks, and Cisco platforms, taking advantage of edge devices before pivoting into other networks, while also modifying routers to maintain persistent access to victim networks.
“Following initial access, the APT actors target protocols and infrastructure involved in authentication – such as Terminal Access Controller Access Control System Plus (TACACS+) – to facilitate lateral movement across network devices, often through SNMP enumeration and SSH. From these devices, the APT actors passively collect packet capture (PCAP) from specific ISP customer networks.”
The authoring agencies believe the hacker could be using multiple command and control channels to exfiltrate data from target networks to hide their activity “within the noise of high-traffic nodes, such as proxies and Network Address Translation (NAT) pools”.
John Hultquist, Chief Analyst at the Google Threat Intelligence Group, said that the company’s subsidiary, Mandiant, has been involved in the investigation into the APT’s activity.
“Though there are many Chinese cyber espionage actors regularly targeting the sector, this actor’s familiarity with telecommunications systems gives them a unique advantage, especially when it comes to evading detection. Many of the highly successful Chinese cyber espionage actors we encounter have deep expertise in the technologies used by their targets, giving them an upper hand,” Hultquist told Cyber Daily.
Hultquist said that Chinese cyber espionage is driven by an “ecosystem of contractors, academics, and other facilitators” capable of both building tools and carrying out the actual intrusions.
“In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals,” Hultquist said.
“Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”
David Shields, Head of ANZ Consulting at Mandiant, added that Salt Typhoon is just the tip of the iceberg of Chinese actors targeting Australia.
“Unfortunately, this is just one of many Chinese cyber espionage actors targeting telecommunications in Australia and the region,” Shields said.
“The sector is besieged by several actors who are incredibly persistent and constantly improving.”
You can read the full advisory, released by the US Cybersecurity & Infrastructure Security Agency, here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
