Allied spy agencies blame 3 Chinese tech companies for Salt Typhoon attacks

Intelligence and cybersecurity agencies from more than a dozen allied countries published an advisory on Wednesday blaming three Chinese technology companies for cyber-espionage campaigns targeting global critical infrastructure.

The activity identified by the intelligence services partially overlaps with campaigns reported by the cybersecurity industry and tracked as Salt Typhoon, RedMike, OPERATOR PANDA, UNC5807 and Ghost Emperor among others, stated the document.

The campaign first came to light last year after threat actors intercepted the correspondence of senior officials within both presidential campaigns, including from President-elect Donald Trump and his running mate JD Vance. In December, U.S. officials said dozens of other countries had been impacted.

The group more recently breached devices linked to seven telecommunications companies — including Comcast and MTN Group — since February, according to research from Recorded Future. The Record is an editorially independent unit of the company.

Thirteen countries co-sealed the announcement on Wednesday, including agencies from the United States, Australia, Canada, New Zealand, United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, Netherlands, Poland and Spain.

The three Chinese companies — Huanyu Tianqiong Information Technology Co., Ltd, Sichuan Zhixin Ruijie Network Technology Co., Ltd and Sichuan Juxinhe Network Technology Co. Ltd, which was sanctioned by the United States back in January — were accused of providing “cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security” since at least 2021, according to the advisory.

Data obtained through these companies’ intrusions against the telecommunications, lodging and transportation sectors, has provided “Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” it warned.

A list of vulnerabilities included in the advisory include CVE-2024-21887, which in January the U.S. Cybersecurity and Infrastructure Security Agency warned was being exploited in attacks targeting federal agencies, and CVE-2024-3400, a zero-day discovered in Palo Alto Networks’ VPN product in April last year.

The advisory comes as Brett Leatherman, the top cyber official at the FBI, told the Wall Street Journal that more than 80 countries had been impacted by a China-sponsored espionage campaign known as Salt Typhoon targeting telecommunications providers.

Richard Horne, the chief executive of Britain’s National Cyber Security Centre, said: “We are deeply concerned by the irresponsible behaviour of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale.

“It is crucial organisations in targeted critical sectors heed this international warning about the threat posed by cyber actors, who have been exploiting publicly known — and so therefore fixable — vulnerabilities.”

The advisory stresses that these bugs have all been patched and provides remediation advice for companies still running the exploitable software, as well as ways for companies in the co-authors’ countries to contact their respective cybersecurity authorities.