Apparently, the infiltrations had occurred a long while back. Remember the saying, “Fool me twice, shame on me?”
On 26 September 2024, the Wall Street Journal reported that cyber espionage activities, allegedly backed by Beijing, had infiltrated several US internet service providers (ISPs).
The primary objective of these advanced persistent threat (APT) attacks is surmised to be the establishment of a persistent presence within the targeted networks, enabling the threat actors to collect sensitive data or potentially launch damaging cyberattacks.
The cyber activities have been linked by people reportedly familiar with the incident, to a threat actor named by Microsoft as Salt Typhoon or FamousSparrow and GhostEmperor. Investigators are currently examining whether the attackers accessed Cisco Systems routers implicated in some way in the incident.
This development follows the US government’s recent disruption of a 260,000-device botnet called Raptor Train, controlled by another Beijing-linked hacking group known as Flax Typhoon. This incident is purportedly part of a broader pattern of Chinese state-sponsored efforts targeting telecommunications, ISPs, and other critical infrastructure sectors of adversary nations since 2021, according to a blog post by Symantec threat hunters.
In a recent related security advisory, government agencies had accused Flax Typhoon of developing a database containing details of 1.2m records of compromised and hijacked devices that the group had either used or were currently using for the botnet.
APT background information
GhostEmperor was first identified in October 2021 by the Russian cybersecurity firm Kaspersky. The firm has detailed a prolonged and evasive operation targeting high-profile entities in South-east Asia, including Malaysia, Thailand, Vietnam, and Indonesia, as well as other regions like Egypt, Ethiopia, and Afghanistan. This operation had involved deploying a rootkit named Demodex.
In July 2024, cybersecurity company had Sygnia disclosed that a client had been compromised by this threat actor in 2023. The attackers had infiltrated the network of one of the client’s business partners. During the investigation, it was found that several servers, workstations, and users were compromised, with various tools used to communicate with command-and-control servers. One of these tools had been identified as a variant of Demodex.
