The Australian Signals Directorate and the Australian Cyber Security Center have joined cybersecurity institutions in the US, Canada and New Zealand to warn local technology professionals to be wary of China-affiliated threat actors , including Salt Typhoon, that infiltrate your critical communications infrastructure.
The news comes weeks after the Australian Signals Directorate's 2023-2024 Annual Cyber Threat Report, where the agency warned that state-sponsored cyber actors had been persistently attacking Australian governments, critical infrastructure and businesses using techniques evolving during the most recent reporting period.
What is salt typhoon?
Recently, the United States revealed that a China-connected threat actor, Salt Typhoon, compromised the networks of at least eight US-based telecommunications providers as part of “a broad and significant cyber espionage campaign.” But the campaign is not limited to American shores.
Australian agencies did not confirm whether Salt Typhoon has reached Australian telecommunications companies. However, Grant Walsh, telecommunications industry leader at local cybersecurity firm CyberCX, wrote that it was “unlikely the ACSC – and partner agencies – would issue such detailed guidance if the threat were not real.”
“Telecommunications networks have invested in some of Australia's most mature cyber defences. But the global threat landscape is deteriorating,” he wrote. “Telecommunications networks are a key target for persistent and highly capable state cyber espionage groups, particularly those associated with China.”
SEE: Why Australian cybersecurity professionals should worry about state-sponsored cyberattacks
Salt Typhoon: Part of a broader state-sponsored threat problem
Over the past year, ASD issued several joint advisories with international partners to highlight evolving operations of state-sponsored cyber actors, particularly Chinese-sponsored actors.
In February 2024, ASD joined the United States and other international partners in publishing an advisory. Chinese-sponsored cyber actors were assessed as seeking to position themselves in information and communications technology networks to conduct disruptive cyberattacks against critical US infrastructure in the event of a major crisis.
The ASD noted that Australian critical infrastructure networks could be vulnerable to state-sponsored malicious cyber activity similar to that seen in the US.
“These actors conduct cyber operations in pursuit of state objectives, including espionage, exercising malign influence, interference and coercion, and seeking to preposition networks for disruptive cyber attacks,” the ASD wrote in the report.
SEE: Australia passes groundbreaking cybersecurity law
In the ASD's annual cyber report, the agency said China's targeting and pattern of behavior are consistent with previous positioning for disruptive effects rather than traditional cyber espionage operations. However, he said state-sponsored cyber actors also have intelligence gathering and espionage objectives in Australia.
“State actors have a long-standing interest in obtaining sensitive information, intellectual property, and personally identifiable information for strategic and tactical advantage,” the report says. “Australian organizations typically have large amounts of data, so they are likely to be a target for this type of activity.”
Common Techniques Used by State-Sponsored Attackers
According to Walsh, Chinese-sponsored actors like Salt Typhoon are “advanced persistent threat actors.” Unlike ransomware groups, they do not seek immediate financial gain but rather “want access to sensitive core components of critical infrastructure, such as telecommunications, for espionage or even destructive purposes.”
“Their attacks are not intended to crash systems and extract profits quickly,” according to Walsh. “Instead, these are covert, state-sponsored cyberespionage campaigns that use hard-to-detect techniques to break into critical infrastructure and remain there, potentially for years. “They are hoping to steal sensitive data or even alter or destroy assets in the event of a future conflict with Australia.”
ASD has warned defenders about common techniques leveraged by these state-sponsored threat actors.
Supply chain commitments
According to the ASD, supply chain engagement can act as a gateway to target networks. The agency noted: “Cyber supply chain risk management should form an important component of an organization's overall cybersecurity strategy.”
Techniques for living off the land
One of the reasons state-sponsored actors are so difficult to detect, according to the ASD, is because they use “built-in network management tools to carry out their objectives and evade detection by blending in with the normal activities of the system and network”. These so-called “living off the land” techniques involve waiting to steal information from an organization's network.
Cloud techniques
State-sponsored threat actors adapt their techniques to exploit cloud systems for espionage purposes as organizations migrate to cloud-based infrastructure. The ASD said techniques to access an organization's cloud services include “brute force attacks and password spraying to access highly privileged service accounts.”
SEE: How AI is changing the cloud security equation
How to defend against cyber threats
There are some similarities in the techniques of threat actors and the weaknesses of the systems they exploit. The ASD said state-sponsored cyber actors often use previously stolen data, such as network information and credentials from previous cybersecurity incidents, to further their operations and re-exploit network devices.
Luckily, companies can protect themselves from cyberattacks. Earlier this year, TechRepublic consolidated expert advice on how businesses can defend against the most common cyber threats, including zero-days, ransomware, and deepfakes. These suggestions included keeping software up-to-date, implementing endpoint security solutions, and developing an incident response plan.
