New research from Silent Push has uncovered previously undisclosed domains utilized by the Chinese APT group Salt Typhoon and other state-backed actors from the People’s Republic of China. These domains were employed to establish covert access to targeted organizations over an extended period. A parallel threat actor known as UNC4841, recognized for leveraging a Barracuda vulnerability for network infiltration, shares technical infrastructure similarities with Salt Typhoon. The revelation of these intertwined operations raises concerns regarding potential linkages between these Chinese APT groups.

Analysts at Silent Push identified distinctive domain registration patterns within the reported command and control (C2) infrastructure, leading to the discovery of 45 domain names associated with Salt Typhoon or closely affiliated threat actors. These domains, dating back several years, underscore the sustained activity of these groups, dispelling the notion that the 2024 attacks were their initial forays.

Initial observations indicated a convergence of infrastructure between Salt Typhoon and UNC4841, prompting Silent Push to incorporate findings on UNC4841 in their investigation. While additional related infrastructure has been identified, operational security constraints prevent its immediate disclosure.

The targeted nature of these campaigns, often exploiting vulnerabilities in public-facing servers, poses challenges in identifying actionable indicators. Despite the absence of known phishing pages or malicious emails linked to Salt Typhoon, actors typically deploy malware to establish persistence, necessitating connections to controlled servers for ongoing operations.

Analysis of domain registration details using WHOIS data unveiled consistent patterns, with multiple domains registered under fictitious personas associated with ProtonMail addresses. Notably, domains like newhkdaily[dot]com, designed to mimic a Hong Kong news outlet, suggest potential subterfuge or propaganda dissemination.

Further investigation into Start of Authority (SOA) records revealed additional insights, enabling threat hunters to track related infrastructure based on shared registration patterns. These records, often overlooked, provide valuable leads into the management practices of threat actors.

The presentation of additional ProtonMail addresses associated with domain registrations led to the discovery of further domains, all utilizing the same name servers as those linked to Salt Typhoon. While some domains remain inactive or repurposed, the overarching risk posed by all domains attributed to Salt Typhoon and UNC4841 cannot be understated, necessitating proactive defense measures.

Silent Push emphasizes the importance of their Indicators Of Future Attack (IOFA) Feeds in preemptively detecting criminal and APT infrastructure, enhancing defenders’ readiness beyond traditional IoCs. The ongoing monitoring of Salt Typhoon’s activities underscores the evolving nature of cyber threats and the imperative for continuous vigilance.

As organizations potentially at risk of Chinese espionage are urged to scrutinize their DNS logs for domain requests associated with the identified threat actors, the Silent Push team remains committed to tracking and sharing technical insights with clients. The collaborative effort to combat advanced cyber threats underscores the critical role of proactive defense strategies in safeguarding against persistent threats.

📰 Related Articles

• UDRP Ruling on OneTab Domain Dispute Reveals Policy Limitations
• UDRP Case Reveals Reverse Domain Name Hijacking Dilemma
• UDRP Case Reveals Domain Ownership Challenges for Entrepreneurs
• Thermomix Domain Dispute Reveals Naming Strategy Oversight
• Team Internet Group Reacts to Google’s Domain Parking Changes

---

📚Book Titles

• Masterminds Unearthed: Traversing the Pathways of Human Cognition
• Perilous Planet: A Journey Through Earth’s Deadliest Terrains and Threats
• Kickstart Your Wealth: Sneaker Investing for the Modern Collector
• The Menendez Brothers: A Legacy of Crime and Controversy