MOXFIVE Threat Actor Spotlight - Salt Typhoon

Every month, we take a look at a current ransomware threat actor. If you would like to receive this via email each month, click below to subscribe to the MOXFIVE mailing list.

Additional Threat Actor Spotlights are available on our
Resources page >>

Subscribe
February 4, 2025

Salt Typhoon

Salt Typhoon is an advanced persistent threat (APT) group associated with China's Ministry of State Security (MSS). Active since at least 2020, Salt Typhoon has conducted sophisticated cyber espionage campaigns targeting telecommunications, government agencies, and technology firms.

In 2024, Salt Typhoon intensified its focus on U.S. critical infrastructure, particularly telecommunications providers. MOXFIVE has observed the group exploiting misconfigurations in cloud environments, abusing identity and access management (IAM) weaknesses, and leveraging compromised third-party credentials for initial access. Their tactics include “living off the land” techniques, stealthy lateral movement, and embedding into supply chain dependencies to evade detection and maintain persistence.

This Threat Actor Spotlight analyzes Salt Typhoon’s methodologies and the risks they pose, emphasizing the need for strong IAM controls, proactive detection, and continuous monitoring.

Key Highlights

Attribution:
Salt Typhoon is attributed to the Chinese government, operating under the Ministry of State Security (MSS). The group’s campaigns align with China’s strategic objectives, such as acquiring military intelligence, intellectual property, and monitoring critical infrastructure. This attribution is supported by forensic analysis, shared tactics with other Chinese APTs, and its use of sophisticated tools and techniques characteristic of state-sponsored actors.

Targeted Industries:
Salt Typhoon has focused its cyber espionage activities on industries critical to national security and economic stability. Key targets include telecommunications providers, government agencies, technology firms, and cybersecurity organizations. These industries have been targeted for their valuable data, operational significance, and potential to facilitate broader campaigns.

Tactics, Techniques, and Procedures (TTPs):

Notable Leveraged Exploits:
Salt Typhoon is known to exploit critical vulnerabilities in widely deployed systems to gain unauthorized access and escalate attacks. Below are some of the most impactful attributed to the group:

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.