Earth Estries, FamousSparrow, GhostEmperor, UNC2286
Salt Typhoon is an advanced persistent threat (APT) group believed to be operated by China's Ministry of State Security (MSS). Active since at least 2019, the group is also known by aliases such as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286. Salt Typhoon specializes in cyber espionage, focusing on intelligence collection and data exfiltration. Their operations have targeted various sectors, including telecommunications, government agencies, and technology companies.
In 2024, Salt Typhoon orchestrated a significant breach of U.S. telecommunications networks, infiltrating at least nine major firms, including AT&T, Verizon, and T-Mobile. The group exploited vulnerabilities in network devices and systems, gaining access to sensitive data such as call logs, text messages, and, in some cases, audio recordings. Notably, they compromised systems used for lawful wiretapping, posing substantial national security concerns. The attackers employed sophisticated techniques, including "living off the land" tactics, utilizing legitimate administrative tools to evade detection and maintain persistent access.