Black Orro logo.
OneTouch Login
Contact
Back to Insights

Threat Hunt: Salt Typhoon

Salt Typhoon Threat Hunt
Learn about Salt Typhoon, a state-sponsored Chinese threat actor, and how to protect your organisation from its advanced cyber-espionage tactics.

Introduction – Salt Typhoon

Salt Typhoon is a state sponsored Chinese threat actor. Emerging in 2020, Salt Typhoon is known for highly developed capabilities within cyber-espionage. Due to their state sponsored actor status, Salt Typhoon has been seen to be specifically target US based infrastructure including telecommunications.

Capability Breakdown: Salt Typhoon Threat Hunt

Salt Typhoon has demonstrated the following tactics across known intrusions:

  • Abuse of public-facing services for initial access (RDP, VPN, web portals)
  • Establishment of persistence via registry modifications, scheduled tasks, or service creation
  • Command execution using obfuscated scripts and other living of the land methods
  • Use of valid accounts and VPNs to blend in with legitimate user behaviour

The Hypothesis

“Salt Typhoon has been expanding their operations across the globe and have begun to target the APAC region. Orro’s customers represent a wide range of industries and are likely to be (or already have been) targeted in these campaigns. As such, this Salt Typhoon Threat Hunt hypothesises that Salt Typhoon has begun to make inroads within Orro’s customer base.”

Technical Findings

Threat hunting conducted in relation to Salt Typhoon was focused on both initial access and activities conducted if a breach had occurred. This was aimed at giving the best chance to uncover evidence of a breach and/or a latent adversary dwelling within the information technology infrastructure. The findings were as follows:

Logon Activity

Logon activity to the local system from non-local sources was examined. This was focused on remote systems having the rights to directly logon to access resources in the local network. Generally speaking, users go through a logon process (eg via Entra or a VPN) in order to gain access as opposed as being able to log on directly from outside the network. No suspicious logon activity in this regard was found during the Salt Typhoon Threat Hunt.

VPN Authentication

VPN Authentication (where logs were available) was examined to attempt to determine if there were any malicious logons. Attempted (and successful) VPN logons by threat actors are one of the top methods targeted by threat actors – especially where VPNs lack Multi-factor authentication (MFA).

Firewall Traffic

Firewall traffic – including denied traffic – was inspected for malicious markers. As part of the threat hunt a number of services were examined for external – both successful and attempted – access via such tactics. No suspicious logins were found during the course of the hunt. This type of tactic ie abuse of external remote access, is common in all threat actors – not limited to Salt Typhoon.

It is highly recommended that all external remote access methods have mandatory MFA and geo-location restrictions. Access methods that are not used ie external RDP (Port 3389) should be completely blocked so they cannot be used as attack vectors under any circumstance.

Scheduled Tasks

An examination of scheduled tasks was undertaken. Salt Typhoon uses Scheduled Tasks as a means of persistence once initial access to a system has been obtained. The Salt Typhoon Threat Hunt examined scheduled tasks created and actioned over the period. This investigation identified a number of scheduled tasks, however, no malicious markers were found.

SIEM Detections & Coverage

Based on the above threat hunting activities a number of detections were confirmed as active within the SIEM. These provide coverage against many of the tactics Salt Typhoon has been seen to use in the past:

  • Logon activity – reporting on unusual factors such as MFA interactions, geolocations and other outlier factors;
  • Firewall traffic – detections geared towards providing advance warning of known malicious activity;
  • Scheduled tasks and scripts – alerts designed to identify scripting activities within a given environment.

Conclusion

In conclusion the hypothesis was unproven. No malicious markers related to Salt Typhoon were found during this Salt Typhoon Threat Hunt.

Protect your infrastructure. Contact Orro for advanced threat hunting services.

Related Insights

role of the modern CTO
10 February 2022

What Is the Role of the Modern CTO?

Read More
3 September 2021

Strengthening Security Posture with Attack Simulation

Learn how Orro helped a public transport provider strengthen and mature their security posture through advanced attack simulation and social engineering techniques.
Read More
Digital Transformation Cybersecurity
8 April 2024

The Future of Cybersecurity: Navigating Digital Transformation with Confidence

A summary of some key takeaways from the Fortinet Accelerate 2024 even in Las Vegas, which provide a forward-looking perspective on the future state of cybersecurity.
Read More

Explore our Resources​

View all
Cyber
Australian Governance and Privacy Risk
post
The 2026 Australian Governance & Privacy Risk Checklist
Critical Infrastructure
OT governance in 2026
post
Air-Gapping Is Dead — What Pragmatic OT Governance Looks Like in 2026
Cyber
post-quantum cryptography planning Australia
post
Store Now, Decrypt Later — Why 2026 Is the Year to Start Your Post-Quantum Plan
Cyber
cyber governance continuous monitoring Australia
post
The Board Wants Proof, Not a Policy - How Continuous Exposure Management Closes the Governance Gap
Cyber
agentic AI governance gap
post
When AI Can Act, Not Just Answer — Closing the Agentic Governance Gap
Cyber
Australian Privacy Act compliance
post
Your Privacy Policy Isn't Enough Anymore — Now You Have to Prove It
OneTouch Login