Full Report
CrowdStrike observed significant growth in China’s offensive cyber capabilities last year as more groups used sector-specific skills to target critical industries and technologies. The post It’s not just Salt Typhoon: All China-backed attack groups are showcasing specialized offensive skills appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Multiple China-Linked Groups (Operator Panda/Salt Typhoon, Liminal Panda, Locksmith Panda, Vanguard Panda)
## Attribution & Identity
The summary covers multiple offensive cyber groups linked to China, showcasing specialized skills observed by CrowdStrike in 2024.
* **Operator Panda:** Also known as **Salt Typhoon**.
* **Associated Groups:** Liminal Panda, Locksmith Panda, and Vanguard Panda (associated with Volt Typhoon).
## Activity Summary
China-linked intrusions jumped 150% across all sectors in 2024 compared to 2023, reflecting significant advancements in offensive cyber capabilities. These groups are shifting from "smash-and-grab" activities to seeking enduring and persistent access.
* **Operator Panda (Salt Typhoon)** was linked to a spree of attacks on U.S. and global telecom providers, discovered in Spring 2024, and remains active as of January 2025.
* **Liminal Panda, Locksmith Panda, and Operator Panda** displayed distinct specializations targeting specific tasks and tools related to telecom networks.
* **Vanguard Panda (Volt Typhoon)** is noted for targeting the critical infrastructure of logistics networks.
## Tactics, Techniques & Procedures
* Establishing **Operational Relay Box (ORB) networks** (botnets of compromised edge devices) to route traffic and obfuscate operations.
* Focusing on **enduring and persistent access** rather than immediate exfiltration.
* Demonstrating **specialized offensive skills** tailored to specific critical industries and technologies.
* *Specific MITRE ATT&CK IDs were not provided in the text.*
## Targeting
* **Sectors:** Financial services, media, manufacturing, industrials, engineering, global telecom providers, and critical infrastructure (including logistics networks).
* **Geography:** U.S. and global targets.
* **Victims:** Specific organizations are not named, but the focus is heavy on **telecom providers** and **critical infrastructure** entities (logistics).
## Tools & Infrastructure
* **Malware families used:** Not explicitly named other than the activities associated with ORB networks.
* **Infrastructure (C2, domains, IPs):** Use of **Operational Relay Box (ORB) networks** consisting of compromised edge devices for traffic routing and obfuscation. One related article snippet mentions Salt Typhoon gaining initial access through **Cisco devices**.
## Implications
The surge in activity (150% jump) and the demonstrated specialization indicate that China's offensive cyber capabilities are now "on par with other world powers." This escalation poses a significant threat to global critical infrastructure due to the advanced, sector-specific targeting.
## Mitigations
* Focus defensive measures on techniques that block traffic obfuscation via compromised edge devices (ORB networks).
* Enhancing defenses specifically within heavily targeted sectors like telecommunications, financial services, and manufacturing.
* Implementing security measures tailored to prevent persistent, long-term access rather than just preventing initial intrusion.