The Australian Signals Directorate and the Australian Cyber Security Centre have joined cybersecurity institutions from the U.S., Canada, and New Zealand in warning local technology professionals to beware of threat actors affiliated with China, including Salt Typhoon, infiltrating their critical communications infrastructure.

The news comes weeks after the Australian Signals Directorate’s Annual Cyber Threat Report 2023-2024, where the agency warned that state-sponsored cyber actors had been persistently targeting Australian governments, critical infrastructure, and businesses using evolving tradecraft over the most recent reporting period.

What is Salt Typhoon?

Recently, the U.S. revealed that a China-connected threat actor, Salt Typhoon, compromised the networks of at least eight U.S.-based telecommunications providers as part of “a broad and significant cyber espionage campaign.” But the campaign is not limited to U.S. shores.

Australian agencies did not confirm whether Salt Typhoon has reached Australian telco companies. However, Grant Walsh, telco industry lead at local cyber security firm CyberCX, wrote that it was “unlikely the ACSC – and partner agencies – would issue such detailed guidance if the threat was not real.”

“Telco networks have invested in some of the most mature cyber defences in Australia. But the global threat landscape is deteriorating,” he wrote. “Telecommunications networks are a key target for persistent and highly-capable state-based cyber espionage groups, particularly those associated with China.”

SEE: Why Australian Cyber Security Pros Should Worry About State-Sponsored Cyber Attacks

Salt Typhoon: Part of a wider state-sponsored threat problem

Over the past year, the ASD has issued several joint advisories with international partners to highlight the evolving operations of state-sponsored cyber actors, particularly from China-sponsored actors.

In February 2024, the ASD joined the U.S. and other international partners in releasing an advisory. It assessed that China-sponsored cyber actors were seeking to position themselves on information and communications technology networks for disruptive cyberattacks against U.S. critical infrastructure in the event of a major crisis.

The ASD noted that Australian critical infrastructure networks could be vulnerable to similar state-sponsored malicious cyber activity as seen in the U.S.

“These actors conduct cyber operations in pursuit of state goals, including for espionage, in exerting malign influence, interference and coercion, and in seeking to pre-position on networks for disruptive cyber attacks,” the ASD wrote in the report.

SEE: Australia Passes Ground-Breaking Cyber Security Law

In the ASD’s annual cyber report, the agency said China’s choice of targets and pattern of behaviour is consistent with pre-positioning for disruptive effects rather than traditional cyber espionage operations. However, it said that state-sponsored cyber actors also have information-gathering and espionage objectives in Australia.

“State actors have an enduring interest in obtaining sensitive information, intellectual property, and personally identifiable information to gain strategic and tactical advantage,” the report said. “Australian organisations often hold large quantities of data, so are likely a target for this type of activity.”

Common techniques used by state-sponsored attackers

According to Walsh, China-sponsored actors like Salt Typhoon are “advanced persistent threat actors.” Unlike ransomware groups, they are not seeking immediate financial gain but “want access to the sensitive core components of critical infrastructure, like telecommunications, for espionage or even destructive purposes.”

“Their attacks are not about locking up systems and extracting fast profits,” according to Walsh. “Instead, these are covert, state-sponsored cyber espionage campaigns that use hard-to-detect techniques to get inside critical infrastructure and stay there, potentially for years. They are waiting to steal sensitive data or even disrupt or destroy assets in the event of future conflict with Australia.”

The ASD has warned defenders about the common techniques these state-sponsored threat actors leverage.

Supply chain compromises

The compromise of supply chains can act as a gateway to target networks, according to the ASD. The agency noted, “Cyber supply chain risk management should form a significant component of an organisation’s overall cyber security strategy.”

Living off the land techniques

One of the reasons state-sponsored actors are so difficult to detect, according to the ASD, is because they use “built-in network administration tools to carry out their objectives and evade detection by blending in with normal system and network activities.” These so-called “living off the land” techniques involve waiting to steal information from an organisation’s network.

Cloud techniques

State-sponsored threat actors adapt their techniques to exploit cloud systems for espionage as organisations move to cloud-based infrastructure. The ASD said techniques for accessing an organisation’s cloud services include “brute-force attacks and password spraying to access highly privileged service accounts.”

SEE: How AI Is Changing The Cloud Security Equation

How to defend against cyber threats

There are some similarities in threat actors’ techniques and the weaknesses in the systems they exploit. The ASD said state-sponsored cyber actors often use previously stolen data, such as network information and credentials from previous cyber security incidents, to further their operations and re-exploit network devices.

Luckily, companies can protect themselves from cyber-attacks. Earlier this year, TechRepublic consolidated expert advice on how businesses can defend themselves against the most common cyber threats, including zero-days, ransomware, and deepfakes. These suggestions included keeping software up-to-date, implementing endpoint security solutions, and developing an incident response plan.

Read More