Introduction
We are no longer maintaining this object in favor of a similar object subsequently published by MITRE: “Salt Typhoon” (Group). All relevant Tidal content extensions (e.g. additional Technique and Object relationships and metadata) have been added to the MITRE-authored object. Salt Typhoon is likely a cyberespionage group linked to the Chinese government. September 2024 reports indicated the group is believed to have compromised U.S. internet service providers with the intent of collecting sensitive information.[WSJ Salt Typhoon September 26 2024] Microsoft researchers indicate that “other names” for Salt Typhoon actors include FamousSparrow and GhostEmperor, a group that was previously tied to supply chain attacks on telecommunications and government entities in Southeast Asia.[Microsoft Threat Actor Naming July 2023][Sygnia July 17 2024] Mandiant researchers identified activity overlaps between GhostEmperor, FamousSparrow, and actors they track as UNC2286.[Mandiant UNC4841 August 29 2023]
Activities and Tactics
Country of Origin: 🇨🇳 China
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- SHIPSHAPE:
- CyberGate:
- Cyber Eye RAT:
- Archelaus Beta:
- Ghost:
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] [WSJ Salt Typhoon September 26 2024 [2] [Microsoft Threat Actor Naming July 2023 [3] [Sygnia July 17 2024 [4] [Mandiant UNC4841 August 29 2023