Summary

• Earth Estries, a Chinese APT group, has been targeting critical sectors such as telecommunications and government agencies in the US, Asia Pacific, the Middle East and South Africa since 2023.
• The group uses advanced attack techniques and multiple backdoors such as GHOSTSPIDER, SNAPPYBEE and MASOL RAT, affecting several Southeast Asian telecommunications companies and government entities.
• Earth Estries exploits publicly available server vulnerabilities to provide initial access and uses live binaries outside the country for lateral movement within networks to deploy malware and conduct long-term espionage.
• The group has compromised over 20 organizations, targeting various sectors including the telecommunications, technology, consulting, chemical and transportation industries, as well as government agencies and NGOs in numerous countries.
• Earth Estries uses a complex C&C infrastructure managed by different teams, and its operations often overlap with TTPs of other well-known Chinese APT groups, suggesting the possible use of shared tools from malware-as-a-service providers.

Since 2023, Earth Estries (also known as Salt Typhoon, FamousSparrow, GhostEmperor and UNC2286) has become one of the most aggressive Chinese APT (Advanced Persistent Threat) groups, primarily targeting critical industries such as telecommunications and government agencies in the US, Asia and the USA has its sights set on. Pacific Region, Middle East and South Africa. In this blog post, we will highlight their evolving attack techniques, analyze the motivation behind their operations, and provide insights into their long-term targeted attacks.

A key finding of our recent investigation is the discovery of a new backdoor, GHOSTSPIDER, identified in attacks on Southeast Asian telecommunications companies. We will examine the technical details of GHOSTSPIDER, its impact on multiple countries, and interesting findings in tracking its command and control (C&C) infrastructure. We also uncovered the group’s use of the SNAPPYBEE modular backdoor (also known as Deed RAT), another tool shared by Chinese APT groups.

Additionally, we discovered that Earth Estries is using another cross-platform backdoor that we first identified during our 2020 investigation into Southeast Asian government incidents. We named it MASOL RAT because of its PDB string. Due to limited information, we were unable to assign MASOL RAT to any known threat group at this time. However, this year we observed Earth Estries deploying MASOL RAT on Linux devices targeting Southeast Asian government networks. Further details about MASOL RAT can be found in this blog entry.

We also recently became aware that Microsoft was tracking the APT groups FamousSparrow and GhostEmperor under the name Salt Typhoon. However, we do not have sufficient evidence that Earth Estries is related to the recent news of a recent cyberattack on Salt Typhoon, as we have not seen a more detailed report on Salt Typhoon. At this time, we can only confirm that some of Earth Estries’ Tactics, Techniques and Procedures (TTPs) overlap with those of FamousSparrow and GhostEmperor.

motivation

We have observed Earth Esties conducting sustained attacks on governments and internet service providers since 2020. In mid-2022, we discovered that the attackers were also targeting government service providers and telecommunications companies. For example, we found that in 2023, attackers also targeted consulting firms and NGOs that work with the US federal government and military. Attackers use this approach to gather information more efficiently and attack their main targets more quickly.

In particular, we observed that the attackers targeted not only the telecommunications company’s critical services (such as database servers and cloud servers), but also its provider’s network. We discovered that they installed the DEMODEX rootkit on vendor computers. This provider is a prime contractor for the region’s largest telecommunications provider, and we believe attackers are using this approach to facilitate access to more targets.

Victimology

We discovered that Earth Estries successfully compromised more than 20 organizations in sectors including the telecommunications, technology, consulting, chemical and transportation industries, government agencies and non-profit organizations (NGOs). The victims also came from numerous countries, including:

• Afghanistan
• Brazil
• Eswatini
• India
• Indonesia
• Malaysia
• Pakistan
• The Philippines
• South Africa
• Taiwan
• Thailand
• US
• Vietnam