- Quiet Push uncovered 45 domains used by Chinese APT groups for prolonged cyber-espionage
- Domains were registered with false identities and linked to IPs with low density to Stealthy C2 operations
- Organizations are encouraged to review five years of DNS logs for signs of compromise
Security researchers recently found 45 domains, some years old, used as part of salt Typhoon Cyber-espionage campaigns.
Earlier this week, CyberSecurity Outfit Silent Push released an in-depth report after discovering a few dozen non-reported domains that were part of command and control (C2) infrastructure used by Chinese APT groups to maintain long-term stealthy access to compromised systems.
In addition to Salt Typhoon, a group traced as UNC4841 also used the same domains that enabled them to manage to manage malware, exfiltrate data and persistence inside networks without detection.
Control of DNS -Logfiles
By analyzing Whois and SOA items, Silent Push found domains back to May 2020, some of which were registered using fake personas like Shawn Francis or Monica Burch. Others were registered using ProtonMail addresses, often with non-existent US-based postal addresses.
Some domains counterfeit legitimate devices such as newhkdaily[dot]com, which may have been used for psychological operations or propaganda, the researchers emphasized.
“The domains go back to several years, with the oldest registration activity that occurs in May 2020, which further confirms that Salt -tyfon attack from 2024 was not the first activity performed by this group,” they said in the report.
Silent Push also said the domains shared low-density IP addresses, which means they were sparsely populated and probably dedicated to malicious activity.
The company is now calling on all organizations to search their DNS logs and telemetry data, go back five years back for any signs of activity involving the 45 newly identified domains or their subdomains.
It includes looking for DNS requests for one of the stated domains, connections to associated IP addresses (especially at the time the domains were active), as well as patterns that match the IP infrastructure with low density described in the report.
Although the infrastructure is probably no longer active, historical DNS data may reveal previous compromises or continuous persistence, and organizations that find struggles may take steps to investigate, contain and alleviate any lingering threats.
Via Hacker the news
