This report was processed and collated by the Elemendar CTI team and includes Mitre ATT&CK TTPS and IOCs collated from using one of our products; READ., an AI-driven Cybersecurity tool.
For further information or a demonstration of our products please visit our website: elemendar.ai If you want to get your PDF version please email us cti@elemendar.com
Contents
Executive Summary
Salt Typhoon’s Cyberespionage Campaign Targets U.S. Telecoms
Salt Typhoon, a Chinese state-sponsored actor, has targeted U.S. and Asian telecoms, including T-Mobile, AT&T, and Singtel, using advanced methods to access sensitive data like call logs and government communications.
This campaign aligns with China’s geopolitical objectives, establishing persistence for future operations, raising alarms about vulnerabilities in critical infrastructure.
New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems
Salt Typhoon’s Cyberespionage Campaign Targets U.S. Telecoms
The China-linked threat actor Salt Typhoon (aka UNC2286 and Ghost Emperor), has been conducting a widespread cyberespionage campaign targeting major telecommunications companies in the United States and Asia. Among the affected entities are T-Mobile, AT&T, Verizon, Lumen Technologies, and Singapore-based Singtel.
Elemendar CTI Analyst comment: Salt Typhoon is a Chinese state-sponsored threat actor, linked to the Ministry of State Security (MSS), which has been conducting cyberespionage activity since 2020. Salt Typhoon targets critical infrastructure, especially telecommunications networks, to gather intelligence, gain persistence for future operations and map vulnerabilities. Other Chinese-linked threat actors such as Volt Typhoon, have previously compromised IT environments across U.S. critical infrastructure sectors, including Communications, Energy, and Transportation, with activity extending to Guam. Volt Typhoon pre-positions malware within IT networks to enable lateral movement to operational technology (OT) systems for use in future operations. Comment Ends.
This marks the ninth breach for T-Mobile since 2019, affecting millions of customers. Other major U.S. telecom providers, including AT&T and Verizon, also reported breaches linked to Salt Typhoon, with some networks suffering data exfiltration and surveillance of private communications.
T-Mobile has confirmed the attack, but denied any breach of customer data or disruption to their services. Similarly, Singtel confirmed it was breached but claimed no customer data was exfiltrated.
Salt Typhoon exploited vulnerabilities in Cisco Systems routers and other network devices to breach telecom networks, reportedly leveraging advanced technologies like artificial intelligence (AI) and machine learning. Some networks were compromised for over eight months, allowing persistent access to sensitive data such as:
Call logs
Unencrypted text messages
Audio from targeted communications
Private communications of senior U.S. government and political officials
The campaign also involved the compromise of a U.S. court wiretap network, giving threat actors access to information subject to legal requests.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have labelled this campaign a significant threat to U.S. critical infrastructure. The attack compromised private communications and sensitive data tied to national security, raising alarms about the vulnerabilities in global telecommunications. Investigators suggest that these breaches are part of a larger Chinese state-sponsored effort to disrupt and exploit critical systems.
Elemendar Intelligence Assessment: Salt Typhoon’s breaches appear to be part of a broader effort to collect intelligence on high-value targets, potentially aiding future operations. Their focus on sensitive systems, such as wiretap networks and government communications, aligns with China’s strategic objectives to enhance its geopolitical, military, and economic positioning globally.
Similar to Volt Typhoon, Salt Typhoon is highly likely to have gained access to these networks to establish persistence with a view to deny communications in the future or understand how communication networks function. In line with these objectives, further attacks on critical infrastructure is almost certain. Assessment Ends.
New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems
Helldown, a new ransomware group, has been identified as a growing threat targeting critical infrastructure and businesses worldwide.
Elemendar CTI Analyst comment: First documented in August 2024, Helldown operates aggressively, employing double extortion tactics to exfiltrate sensitive data and threaten public leaks to pressure victims into paying ransoms. To date, the ransomware group has claimed 31 victims across sectors such as IT services, telecommunications, manufacturing, and healthcare, with most targets located in the United States and Europe. Comment Ends.
Helldown primarily exploits vulnerabilities in Zyxel firewalls to gain initial access to victims’ systems. Cybersecurity firms Truesec and Sekoia have confirmed that the group leverages both known and undocumented vulnerabilities in Zyxel devices, creating SSL VPN tunnels and stealing credentials to establish a foothold. Following this, Helldown employs typical ransomware tactics, including persistence, credential harvesting, lateral movement, and defence evasion, ultimately deploying ransomware to encrypt systems and exfiltrate data.
The Windows version of Helldown ransomware performs various pre-encryption activities, such as deleting shadow copies, terminating processes related to databases and Microsoft Office, and removing traces of its activity before shutting down infected machines. Its Linux counterpart, aimed at VMware ESX servers, focuses on listing and terminating active virtual machines (VMs) before encrypting their data. However, the Linux variant lacks sophistication, such as obfuscation or anti-debugging mechanisms, suggesting it is still under development.
Fig.2: Helldown ransom note from xml configuration (source: Sekoia)
Elemendar CTI Analyst comment: Helldown’s behaviour shares notable similarities with Darkrace and Donex, both variants of LockBit 3.0.. Darkrace emerged in 2023 and later rebranded to Donex, with both operations ceasing after a public decryptor was released in 2024. While Helldown appears to have inherited behavioural traits and configuration similarities from these groups, a definitive connection remains unconfirmed. Comment Ends.
Helldown has expanded its capabilities, targeting virtualised environments and VMware infrastructure, indicating an evolution in its attack strategy. By terminating VMs, the group gains write access to image files, although this functionality has not yet been fully activated in its ransomware code. The lack of advanced features in its Linux variant further suggests that the group’s operational maturity is still developing.
Helldown’s targets include both small and medium-sized enterprises and larger organisations, such as Zyxel Europe, a subsidiary providing network and cybersecurity solutions. The group exfiltrates significant volumes of data, averaging 70GB per victim, often focusing on administrative files like PDFs and scanned documents. Its indiscriminate data collection contrasts with the more selective approach of other ransomware groups, possibly reflecting a strategy to maximise pressure on victims.
Elemendar Intelligence Assessment: Helldown represents an active and evolving intrusion set, with its success relying on exploiting unpatched vulnerabilities, leveraging established ransomware techniques. While Helldown’s ransomware lacks sophistication, its ability to compromise targets is proven.
By primarily targeting small to medium size businesses, the Helldown group are highly likely to be operationally testing their malware against targets who are likely to have less robust security solutions in place. From this operational testing, the group are then almost certain to modify and improve on the malware before moving onto larger, more profitable targets. Therefore, in time, as the group continues to develop and refine its toolset, Helldown is likely to become a critical threat within the ransomware landscape representing a threat to all verticals. Assessment Ends.
Annex A: References
Salt Typhoon’s Cyberespionage Campaign Targets U.S. Telecoms
https://informationsecuritybuzz.com/ransomware-attacks-on-healthcare-secto/
https://www.pymnts.com/cybersecurity/2024/t-mobile-network-reportedly-breached-in-chinese-hacking-campaign/
https://securitybrief.co.nz/story/cyber-espionage-group-volt-typhoon-resurfaces-globally
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems
https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.html
Annex B: STIX Entities
Salt Typhoon’s Cyberespionage Campaign Targets U.S. Telecoms
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1190 | Exploit Public-Facing Application | Initial Access | Exploitation of Vulnerable Web Applications | Adversaries exploit vulnerabilities in public-facing applications to gain initial access to a network. | Web server logs: Look for exploit attempts or unexpected parameter injection in HTTP requests. |
T1562.011 | Spoof Security Alerting | Defence Evasion | Manipulation of Security Alerts | Adversaries spoof or disable security alerts to avoid detection and mislead defenders. | Security tool logs: Unusual changes to alerting configurations or suppression of alerts. |
T1584.008 | Network Devices | Resource Development | Targeting Network Devices for Attack Infrastructure | Adversaries leverage compromised network devices as infrastructure for further attacks. | Network device logs: Look for unauthorised changes, new configurations, or unusual traffic patterns. |
New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems
Mitre ATT&CK TTPs / Attack Procedures
ID | Name | Tactic | Procedure | Description | Logs |
T1203 | Exploitation for Client Execution | Execution | Client-Side Exploitation | Exploiting vulnerabilities in client applications to execute arbitrary code. | Application logs: Unexpected crashes or exploit attempts. |
T1584.008 | Network Devices | Resource Development | Compromising Network Devices | Leveraging network devices for attack infrastructure. | Network device logs: Unauthorised changes or unusual traffic. |
T1211 | Exploitation for Defence Evasion | Defence Evasion | Bypassing Defences via Exploits | Exploiting vulnerabilities to evade detection mechanisms. | Security logs: Detection of exploit activity targeting defensive software. |
T1588.006 | Vulnerabilities | Resource Development | Acquiring Exploits | Obtaining vulnerabilities or exploits for use in operations. | Threat intel logs: Indicators of exploit acquisition on dark web or other platforms. |
T1132 | Data Encoding | Command and Control | Encoding Data for Transmission | Encoding command-and-control communications to avoid detection. | Network logs: Base64-encoded traffic or other encoding patterns. |
T1556.001 | Domain Controller Authentication | Credential Access | Kerberos Ticket Requests | Forging or stealing tickets to access domain resources. | Authentication logs: Unusual Kerberos ticket usage or mismatched account activities. |
T1562.007 | Disable or Modify Cloud Firewall | Defence Evasion | Cloud Firewall Modification | Disabling or changing cloud firewall settings to allow malicious traffic. | Cloud provider logs: Changes to firewall rules or access configurations. |
T1135 | Network Share Discovery | Discovery | Identifying Network Shares | Scanning and listing shared directories on a network. | File access logs: Access to network shares by unauthorised users. |
T1037 | Boot or Logon Initialization Scripts | Persistence | Modification of Startup Scripts | Altering scripts executed during boot or logon to maintain persistence. | File change logs: Modifications to startup scripts such as logon.bat. |
T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration | Encrypted Data Exfiltration | Exfiltrating data over symmetric encrypted protocols. | Network traffic logs: Suspicious encrypted outbound connections. |
T1600 | Weaken Encryption | Defence Evasion | Use of Weak Encryption Algorithms | Using or forcing weak encryption methods to facilitate data compromise. | Encryption logs: Usage of outdated or insecure algorithms. |
T1059.003 | Windows Command Shell | Execution | Command Execution via Shell | Executing commands using the Windows Command Shell. | Command-line logs: Commands executed via cmd.exe. |
T1055.012 | Process Hollowing | Defence Evasion | Injecting Code into Processes | Hiding malicious code within legitimate processes via hollowing. | Process injection logs: Anomalous memory allocations or threads. |
T1529 | System Shutdown/Reboot | Impact | Forcing System Reboots | Rebooting or shutting down systems to disrupt operations or remove forensic evidence. | Event logs: System shutdown or restart events triggered by unauthorised users. |
T1036.006 | Space after Filename | Defence Evasion | Filename Obfuscation | Adding spaces after filenames to confuse detection systems. | File access logs: Files with unexpected trailing spaces. |
T1548.006 | TCC Manipulation | Privilege Escalation | Abuse of Transparency, Consent, and Control | Exploiting macOS TCC to bypass security controls. | macOS logs: Unexpected access to protected resources. |
T1573.002 | Asymmetric Cryptography | Command and Control | Encrypted C2 with Public Key Encryption | Using asymmetric cryptography to encrypt command-and-control communications. | Network logs: Encrypted traffic using asymmetric algorithms. |
T1573 | Encrypted Channel | Command and Control | Secure C2 Communications | Encrypting command-and-control channels to evade detection. | Network logs: Detection of encrypted traffic from unexpected sources. |
IOC’s
Type | Value |
sha256 | 0bfe25de8c46834e9a7c216f99057d855e272eafafdfef98a6012cecbbdcfab |
sha256 | 7cd7c04c62d2a8b4697ceebbe7dd95c910d687e4a6989c1d839117e55c1cafd7 |
sha256 | 7731d73e048a351205615821b90ed4f2507abc65acf4d6fe30ecdb211f0b0872 |
sha256 | 3e3fad9888856ce195c9c239ad014074f687ba288c78ef26660be93ddd97289e |
sha256 | 2621c5c7e1c12560c6062fdf2eeeb815de4ce3856376022a1a9f8421b4bae8e1 |
sha256 | 47635e2cf9d41cab4b73f2a37e6a59a7de29428b75a7b4481205aee4330d4d19 |
sha256 | cb48e4298b216ae532cfd3c89c8f2cbd1e32bb402866d2c81682c6671aa4f8ea |
sha256 | 67aea3de7ab23b72e02347cbf6514f28fb726d313e62934b5de6d154215ee733 |
sha256 | 2b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0 |
sha256 | 6ef9a0b6301d737763f6c59ae6d5b3be4cf38941a69517be0f069d0a35f394dd |
sha256 | 9ab19741ac36e198fb2fd912620bf320aa7fdeeeb8d4a9e956f3eb3d2092c92c |
sha256 | ccd78d3eba6c53959835c6407d81262d3094e8d06bf2712fefa4b04baadd4bfe |
Probability Language
This document uses probability language based on assessment. Further information can be found in the image below:Â
Feedback
We welcome your feedback, this ensures we meet your needs.
Please contact our CTI Director at : CTI@elemendar.ai
Acknowledgements
Authored by Paul Montgomery, CTI Director Elemendar
Comments