Hackers Target Internet Providers in Major Cyber Espionage Effort

Chinese-backed cyber attackers have infiltrated several U.S. internet service providers (ISPs) as part of a broader espionage campaign aimed at collecting sensitive information.

According to a recent report, these hackers, tracked by a leading tech firm under the name Salt Typhoon—also known as FamousSparrow and GhostEmperor—are believed to be state-sponsored and linked to Beijing.

Investigators are currently looking into whether the attackers breached key infrastructure, such as routers from a major U.S. tech company, which manage much of the internet’s traffic. The cybercriminals’ ultimate goal appears to be gaining a long-term presence in these networks to access confidential data or launch potential future attacks.

GhostEmperor, initially identified in 2021, was known for its stealthy operations targeting Southeast Asia, deploying advanced tools like a rootkit named Demodex. The group has previously struck high-profile targets across Malaysia, Thailand, Vietnam, and Indonesia, with additional attacks in Egypt, Ethiopia, and Afghanistan.

Most recently, in July 2024, an unnamed business was compromised by Salt Typhoon, who exploited one of its partner networks, as revealed by a security firm. The intruders used various tools to communicate with their command-and-control servers, including a variant of the Demodex malware.

This cyberattack follows closely on the heels of another significant disruption, where U.S. authorities dismantled a 260,000-device botnet known as Raptor Train, controlled by another Beijing-affiliated group, Flax Typhoon. These events highlight the continued targeting of ISPs, telecoms, and other critical infrastructure sectors by Chinese state-sponsored hacking groups.

To prevent such breaches, organizations should adopt multi-layered cybersecurity measures. Regular system updates, network segmentation, and continuous monitoring for unusual activity are critical. Strengthening authentication processes, such as multi-factor authentication (MFA), and conducting frequent security audits can help identify and mitigate vulnerabilities.