As China intensifies its global digital strategy, cybersecurity experts are raising alarms about the evolving landscape of hacking activities attributed to long-established groups. Notably, the tactics employed by these organizations are converging, resulting in a more sophisticated and intricate fabric of cyber threats. This transformation includes improved camouflage techniques by attackers, making it increasingly difficult to distinguish between cybercriminals and state-sponsored hackers.
Recent events painted a troubling picture for U.S. federal entities when the Chinese hacking group known as “Salt Typhoon” was elucidated to have compromised at least nine major telecommunications companies in the United States. Their incursions not only continued unchecked into the current year but also expanded to other global territories. Additionally, the Beijing-affiliated group “Volt Typhoon” has been detected infiltrating critical infrastructure and utility sectors in the U.S. and beyond. Another notorious actor, known as Brass Typhoon—or APT 41—has persisted in its low-profile activities, quietly expanding its reach from its inception around 2012.
Brass Typhoon has maintained a broad scope of operations over the past year. Mandiant’s threat intelligence lead, John Hultquist, describes the group as a coalition executing diverse attacks that span from U.S. livestock applications to intricate source code and chip designs within Taiwan’s semiconductor industry, as well as essential power grids. This year’s campaigns have reportedly targeted various international sectors, including technology, automotive, logistics, and media, employing newly developed malware in sustained offensive operations.
Brass Typhoon has a notable history of executing high-profile software supply chain attacks in the late 2010s, alongside audacious attacks on telecoms, particularly focusing on call record data, which underscores its hybrid approach. The group is known for its dual nature, engaging in hacking activities that align with Chinese state-sanctioned espionage while also participating in cybercriminal ventures, particularly in the lucrative video game industry and associated in-game currency scams.
Current research indicates that Brass Typhoon is still active, recently capitalizing on vulnerabilities within online gambling platforms as well as maintaining its espionage efforts targeting manufacturing and energy sectors. The persistent activity of Brass Typhoon runs parallel to the more publicized operations of Salt Typhoon and Volt Typhoon, highlighting a broader pattern within China’s state-backed hacking initiatives. The implications of these activities suggest that these operations should be viewed as part of a larger systemic threat rather than isolated incidents.
Former U.S. Cybersecurity and Infrastructure Security Agency Director Jen Easterly aptly noted that distinguishing between various hacking groups linked to China may lead to confusion. She emphasized the overall significance of China as a formidable and persistent cyber threat, a perspective echoed by cybersecurity experts who argue for a holistic understanding of nation-state hacking activities.
Hultquist underscored the evolving tactics of these groups, noting that while it remains essential to monitor individual actors, cybersecurity defenders must account for the collaborative benefits derived from state-sponsored espionage and offensive operations. As these groups adapt and refine their methodologies, recognizing the broad scope of their activities becomes vital for effective threat mitigation.
Ultimately, the ongoing operations of Brass Typhoon illustrate the necessity of heightened vigilance among businesses and organizations vulnerable to cyber intrusion. The techniques potentially employed by Brass Typhoon likely include tactics from the MITRE ATT&CK framework such as initial access through spear phishing, persistence using web shells, and privilege escalation methods that facilitate unauthorized access to critical systems. The increased sophistication of these cyber threats emphasizes the urgent need for robust cybersecurity measures across industries.
