Salt Typhoon / Earth Estries / GhostEmperor (also known as Earth Estries, GhostEmperor, FamousSparrow, UNC2286) is a state-sponsored advanced persistent threat group attributed to People's Republic of China (MSS), active since 2019. The group primarily targets telecommunications, government, technology, critical infrastructure sectors. It is tracked by MITRE ATT&CK as G1045.
Overview & Attribution
Salt Typhoon represents one of the most significant PRC cyber espionage operations ever publicly disclosed. The group's systematic targeting of US telecommunications infrastructure -- including lawful intercept (CALEA) systems at AT&T, Verizon, and T-Mobile -- has provided Chinese intelligence services with unprecedented access to communications metadata and content of high-value surveillance targets, including US government officials and political campaigns.
Salt Typhoon has been active since 2019, attributed to People's Republic of China (MSS). The group is known for targeting telecommunications, government, technology, and critical infrastructure using a combination of custom malware, rootkits, and exploitation of edge network devices.
- Attribution: People's Republic of China (MSS)
- Active since: 2019
- Primary targets: Telecommunications, government, technology, critical infrastructure
- Also known as: Earth Estries, GhostEmperor, FamousSparrow, UNC2286
Arsenal & Tools
Salt Typhoon employs a diverse arsenal of custom and shared tooling:
- GhostSpider: Custom modular backdoor used for persistent access in telecom networks
- Demodex: Rootkit deployed for kernel-level persistence and stealth
- SparrowDoor: Multi-platform backdoor supporting Windows and Linux targets
- SnappyBee (Deed RAT): Shared Chinese APT backdoor for command and control
- HemiGate: Custom backdoor with multi-instance command execution capabilities
- Cobalt Strike: Commercial adversary simulation framework repurposed for C2 operations
Targeting & Operations
The group focuses on telecommunications, government, technology, critical infrastructure sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted intrusion operations, leveraging both zero-day exploits and commodity tooling to achieve persistent access to lawful intercept infrastructure and call detail record databases.
Salt Typhoon is characterized by persistent, long-term access operations within telecom provider networks. Once inside, the group targets lawful intercept (CALEA) systems, call detail record databases, and network management infrastructure to conduct surveillance of specific high-value targets without deploying broadly destructive capabilities.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing Application | Exploitation of vulnerabilities in VPN appliances, email gateways, and telecom infrastructure |
| Execution | T1059 Command and Scripting Interpreter | PowerShell and cmd.exe for post-exploitation command execution |
| Command and Control | T1071 Application Layer Protocol | HTTPS-based C2 communications blended with legitimate traffic |
| Exfiltration | T1048 Exfiltration Over Alternative Protocol | Data exfiltration through encrypted channels to avoid network monitoring |
| Persistence | T1547 Boot or Logon Autostart Execution | Registry modifications and scheduled tasks for long-term persistence |
| Defense Evasion | T1014 Rootkit | Demodex rootkit for kernel-level stealth and detection evasion |
Notable Campaigns
Salt Typhoon has been linked to multiple significant campaigns. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.
- US Telecom Intrusions (2023-2024): Compromised AT&T, Verizon, T-Mobile, and at least six other US telecom providers. Accessed lawful intercept systems (CALEA infrastructure) to surveil targets including US government officials and political campaigns.
- Barracuda ESG Campaign (2023): Exploited CVE-2023-2868 in Barracuda Email Security Gateway appliances to compromise government and critical infrastructure targets across multiple countries.
- Southeast Asian Telecom Operations (2021-2023): Long-running espionage campaigns against telecommunications providers across Southeast Asia, establishing persistent access for intelligence collection.
- Government Espionage Operations (2020-2024): Targeted government agencies across the US, Asia-Pacific, Middle East, and South Africa for strategic intelligence gathering.
ghfrankenstein[.]com(C2 domain)ffraborede[.]com(C2 domain)zfrankenstein[.]com(C2 domain)185.216.32[.]186(C2 IP)103.159.132[.]80(C2 IP)
Detection & Defense
- Network segmentation: Isolate lawful intercept and call detail record systems from general corporate networks
- Telecom-specific monitoring: Deploy detection for anomalous access to CALEA infrastructure and CDR databases
- Patch management: Prioritize patching of edge devices including VPN appliances, email gateways, and firewalls
- Endpoint detection: Deploy behavioral detection for GhostSpider, Demodex rootkit, and SparrowDoor indicators
- Encrypted DNS monitoring: Monitor for DNS-over-HTTPS and other encrypted DNS channels used for C2
- Threat intelligence integration: Subscribe to telecom-specific threat feeds for Salt Typhoon IOC updates
Defend Against Salt Typhoon
Mjolnir Security provides specialized capabilities to detect and respond to Salt Typhoon operations.
- APT Threat Hunting Proactive hunting for Salt Typhoon TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of Salt Typhoon campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts