Salt Typhoon Hackers Use Fake Domains to Target Organizations Worldwide

The FBI has issued a warning about a Chinese-backed hacking campaign that has breached at least 60 organizations across more than 80 countries. Cybersecurity researchers have uncovered 45 malicious domains linked to Salt Typhoon and other China-sponsored threat groups.

Earlier this week, researchers from cybersecurity firm Silent Push published an in-depth report with details about dozens of previously unknown domains linked to Salt Typhoon and UNC4841. These domains were registered using fake identities and addresses, often with ProtonMail accounts, and date back as far as 2020.

Fake identities and ProtonMail used in registrations

Salt Typhoon (also known as GhostEmperor and UNC2286) is connected to China’s Ministry of State Security (MSS) and gained popularity for targeting global telecom providers. On the other hand, UNC4841 exploited a Barracuda email appliance vulnerability in 2023 to infiltrate networks. These China-backed advanced persistent threat (APT) groups used the same domains to remotely manage malware, exfiltrate data, and persist in enterprise networks.

Silent Push analyzed WHOIS and SOA records and identified several domains registered with fake identities such as ‘Shawn Francis’ and ‘Monica Burch.’ Many of these domains were tied to ProtonMail accounts and fake U.S.-based postal addresses.

“The domains date back several years, with the oldest registration activity occurring in May 2020, further confirming that the 2024 Salt Typhoon attacks were not the first activity carried out by this group,” Silent Push researchers explained.

Some of the domains identified by researchers were designed to mimic real organizations or media outlets (like newhkdaily[.]com), which suggests they may have been used to influence public opinion or spread misleading information. Additionally, the cybersecurity firm Silent Push noted that these domains were hosted on servers with very few other websites (known as low-density IP addresses).

How organizations can defend against Salt Typhoon attacks

To protect against these tactics, organizations should regularly update and patch all network devices and software. Administrators must pay special attention to equipment exposed to the internet, like VPNs and email servers.

Additionally, it’s highly recommended to review and tighten access control settings, remove unused or overly permissive rules, and monitor for the creation of new user accounts with elevated privileges. Organizations should also use strong authentication methods like multi-factor authentication (MFA) for any remote access.

Lastly, enterprise admins must use tools that monitor for unusual activity within the network. They should also use network segmentation to limit how far attackers can move if they gain access.