by Silent Push researchers have discovered 45 domains linked to China-linked hacking syndicate Salt Typhoon, some dating back to 2020. The domains were registered with fake US identities and ProtonMail accounts, allegedly designed for long-term access into telecoms and internet providers across over 80 countries.
Researchers discovered that a group linked to Barracuda exploits had overlapping domain infrastructure with UNC4841, indicating Chinese espionage operators recycle resources across campaigns, beyond malicious domains.
Techopedia interviewed Zach Edwards, Senior Threat Researcher at Silent Push, about the infrastructure’s construction, group coordination, and its significance for defenders.
A Network of Domains Designed for China’s Long-Term Espionage
From systems that manage mobile metadata to those that are utilized for legal wiretapping, Salt Typhoon has a reputation for targeting some of the most delicate components of telecom infrastructure.
Last year, a group breached nine major US telecom providers, gaining access to records on over a million mobile users, including senior government and political figures, including Verizon, AT&T, Lumen Technologies, and Windstream.
Newly discovered domains reveal Salt Typhoon’s persistence in launching sophisticated attacks against telecoms and ISPs. Analysts have tracked registration trails for nearly five years, revealing that the group has made consistent mistakes in registering their domains, despite their sophisticated attacks. This highlights the group’s preference for long-lived infrastructure and their ability to stay dormant in the background.
Researchers discovered that Salt Typhoon’s registration methods align with UNC4841, possibly due to centralized training teaching similar methods.
Silent Push discovered that many domains were registered with ProtonMail accounts created from random characters and linked to fake US identities. Their strategy involves blending malicious infrastructure into legitimate records, leaving analysts to navigate through a lot of noise.
Where UNC4841 and Salt Typhoon Collide
The exploitation of a zero-day vulnerability (CVE-2023-7102) in Barracuda’s email security gateways, which started in October 2022 and peaked in May and June 2023, immediately springs to mind when UNC4841 is mentioned. Later, the campaign expanded into networks in the public and private sectors.
Silent Push discovered that UNC4841 and Salt Typhoon used comparable procedures while purchasing domains.
Edwards suggests that the overlap in infrastructure suggests Chinese APT operators are sharing tools and methods, potentially improving defenders’ chances of detecting exposure, despite the messy attribution process.
Salt Typhoon’s impact extends beyond US telecoms, as a report by Recorded Future’s Insikt Group links related activity to router exploits in Asia-Pacific universities in 2024 and 2025, indicating the same ecosystem can affect education and research networks.
Domain Trails as a Tool for Defense
One of the few enduring remnants of groups like Salt Typhoon is domain infrastructure. While malware may alter over night, name server information and registration records remain accessible long after campaigns are over.
Edwards emphasized the importance of defenders focusing on patterns and consistency issues when APT groups expose operational details, such as domain registration details, to map indicators of future attacks (IOFAs) instead of focusing solely on indicators of compromise (IOCs).
Silent Push emphasizes the importance of mapping indicators of future attacks (IOFAs) for threat hunters, stating that acquiring active fingerprints for serious threat actors is the future of defense. They urge organizations to review DNS logs from the past five years and check against the 45 domains linked to Salt Typhoon and UNC4841, believing that their fingerprints can help spot potential exposure.
The Bottom Line
Salt Typhoon’s long-lived domains demonstrate a durable operation, while its overlap with UNC4841 suggests Chinese espionage groups utilize the same infrastructure pool across campaigns.
The researchers emphasize the importance of continuity in espionage, as long-term traces can indicate future activity. Tracking infrastructure construction and reuse provides a clearer threat landscape view, enabling security teams to prepare for future threats.
FAQs
Silent Push found 45 domains with recurring patterns, the majority of which had never been documented before.
Long-lasting DNS and registration traces left by domains aid security teams in identifying potential vulnerabilities.
It is advised by analysts to compare DNS logs from 2019 to the present with the 45 domains that Silent Push made public.
