October 14, 2025
China's Long-Term Espionage
Cybersecurity

Salt Typhoon and UNC4841: Insights into China-Linked Espionage Domains

adminby admin

Cybersecurity researchers at Silent Push have discovered 45 domains connected to the China-linked hacking group known as Salt Typhoon, with some registrations dating back to 2020. These domains, often registered using fake U.S. identities and ProtonMail accounts, were designed to maintain long-term access to telecommunications companies (telecoms) and internet service providers (ISPs) across more than 80 countries worldwide.

The investigation also revealed overlaps with another Chinese espionage group, UNC4841, suggesting that Advanced Persistent Threat (APT) groups frequently reuse infrastructure, tools, and tactics across multiple cyber-espionage campaigns. This overlap provides valuable intelligence for cybersecurity professionals seeking to identify and counter long-term threats.

Salt Typhoon: A Persistent Espionage Threat

Salt Typhoon is known for its targeted attacks on telecom infrastructure, particularly systems handling mobile network metadata and lawful interception systems. By compromising these networks, attackers can access sensitive communications, internal data, and surveillance records.

In 2023, Salt Typhoon reportedly breached nine major U.S. telecom providers, exposing records of over one million mobile users, including senior government officials and political figures. High-profile targets included Verizon, AT&T, Lumen Technologies, and Windstream, underscoring the national security risks posed by this group.

These incidents demonstrate Salt Typhoon’s ability to operate undetected for extended periods, maintaining persistence within critical systems while avoiding traditional cybersecurity defenses.

Long-Lived and Stealthy Domain Infrastructure

Silent Push’s analysis of the 45 domains revealed that Salt Typhoon depends heavily on long-term domain infrastructure to support its espionage activities. The group’s domain registrations span nearly five years, showcasing a preference for persistent, stealth-based operations instead of short, high-intensity attacks.

Key Findings:

  • Use of Fake Identities and ProtonMail: Domains were registered with randomly generated ProtonMail accounts linked to fabricated U.S. identities, making attribution more difficult.

  • Persistence Over Perfection: Despite occasional registration errors, Salt Typhoon’s focus remains on maintaining durable infrastructure rather than creating disposable domains.

  • Blending with Legitimate Records: The group cleverly integrates malicious domains into legitimate network data, complicating detection for cybersecurity analysts.

Overlap Between Salt Typhoon and UNC4841

Further research identified notable infrastructure overlaps between Salt Typhoon and UNC4841, another China-linked threat actor infamous for exploiting the Barracuda Email Security Gateway zero-day vulnerability (CVE-2023-7102).

According to Zach Edwards, Senior Threat Researcher at Silent Push, these similarities suggest shared resources, training, and operational standards among Chinese APT groups, providing potential detection opportunities even when direct attribution is uncertain.

Shared Tactics Include:

  • Domain Acquisition Strategies: Both groups register domains using anonymous ProtonMail accounts and fake credentials.

  • Coordinated Operations: The similarities point to centralized infrastructure sharing and standardized methods, enabling both groups to scale global espionage operations efficiently.

Global Reach Beyond U.S. Targets

Salt Typhoon’s campaigns extend far beyond the United States. According to Recorded Future’s Insikt Group, related activities were identified in Asia-Pacific universities between 2024 and 2025, where the group exploited router infrastructure to infiltrate academic and research networks.

This demonstrates Salt Typhoon’s cross-sector and cross-border capabilities, targeting not only telecom providers but also education and research institutions, underscoring the global reach of Chinese cyber-espionage campaigns.

Why Domain Infrastructure Matters

Unlike malware—which can be quickly replaced—domain infrastructure leaves lasting digital footprints, such as DNS records and registration data. These traces are crucial for defenders because they offer Indicators of Future Attacks (IOFAs), helping predict and prevent threats before they escalate, rather than relying solely on traditional Indicators of Compromise (IOCs).

Edwards notes that organizations should analyze patterns and consistencies in domain registrations. By reviewing historical DNS logs and cross-referencing them with the 45 known Salt Typhoon domains, defenders can uncover early warning signs of infiltration.

Impact on Telecoms and ISPs

Salt Typhoon’s focus on telecom infrastructure poses a serious and ongoing threat to ISPs and mobile network operators. The group’s use of fake identities and persistent domains allows it to blend malicious traffic with legitimate operations, making detection far more difficult.

Key Risks:

  • Long-Term Infiltration: Attackers can maintain covert access for years, jeopardizing both network security and user privacy.

  • Global Disruption: Beyond telecoms, the same infrastructure can target universities, research labs, and public institutions, amplifying the scope of the threat.

To counter these risks, experts recommend continuous DNS monitoring, behavioral anomaly detection, and international threat intelligence sharing.

Enhancing Defensive Strategies

By studying the shared infrastructure and tactics between Salt Typhoon and UNC4841, cybersecurity teams can strengthen their threat detection and response frameworks. Identifying operational fingerprints—such as domain naming conventions, registrar patterns, and email usage—can reveal ongoing or emerging campaigns.

Recommended Actions:

  • Prioritize IOFAs: Focus on detecting future attack patterns rather than only reacting to past breaches.

  • Track Historical Infrastructure: Maintain databases of domain and DNS activity spanning several years.

  • Encourage Cross-Sector Collaboration: Cooperation among telecoms, universities, and security firms is essential to counter large-scale APT operations.

Conclusion: Persistent Threats, Global Lessons

The Silent Push report on Salt Typhoon’s domain network exposes a highly organized and enduring cyber-espionage operation. The overlap with UNC4841 reinforces the idea that China-linked APT actors depend on shared tools and infrastructure to sustain their global operations.

Key Takeaways:

  • APT Strategy: Advanced hackers favor long-term domain persistence over short-term attacks.

  • Defense Focus: Security teams must analyze historical DNS data and registration trends to identify risks early.

  • Global Collaboration: Combating these threats requires international cooperation and shared intelligence across industries.

Salt Typhoon’s global footprint is a stark reminder that cyber-espionage transcends borders—and that persistent, proactive defense is the only sustainable path forward.

FAQs

Q1: What did Silent Push discover about Salt Typhoon?
A: Researchers identified 45 previously undocumented domains, many using fake US identities and ProtonMail accounts, linked to long-term espionage campaigns.

Q2: Why is domain infrastructure important for defense?
A: DNS records and registration logs provide long-term insight into potential attacks, helping organizations act proactively rather than reactively.

Q3: How can organizations check if they were targeted?
A: Analysts recommend reviewing DNS logs from 2019 onward and comparing them with the 45 domains identified by Silent Push to detect potential exposure.

admin

View all posts by admin →

You might also like

UN Cybercrime Treaty Nears Vote Amid Ethical Hacking Concerns

UK Police Forces Scale Back X Activity Over Extremist Propaganda and Platform Tone

The Global Rollout of Digital IDs and Combating AI-Driven Identity Fraud

Leave a Reply

Your email address will not be published. Required fields are marked *