Threat hunters have discovered a set of previously unreported domains, some going back to May 2020, that are associated with China-linked threat actors Salt Typhoon and UNC4841.
“The domains date back several years, with the oldest registration activity occurring in May 2020, further confirming that the 2024 Salt Typhoon attacks were not the first activity carried out by this group,” Silent Push said in a new analysis shared with The Hacker News.
The identified infrastructure, totaling 45 domains, has also been identified as sharing some level of overlap with another China-associated hacking group tracked as UNC4841, which is best known for its zero-day exploitation of a security flaw in Barracuda Email Security Gateway (ESG) appliances (CVE-2023-2868, CVSS score: 9.8).
Salt Typhoon, active since 2019, drew widespread attention last year for its targeting of telecommunications services providers in the U.S. Believed to be operated by China’s Ministry of State Security (MSS), the threat cluster shares similarities with activities tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807.
Silent Push said it identified three Proton Mail email addresses that were used to register as many as 16 domains with non-existent addresses.
Further examination of the IP addresses related to the 45 domains has revealed that many of these domains pointed to high-density IP addresses. These refer to IP addresses to which a high number of hostnames currently point, or have pointed in the past. Of those that pointed to low-density IP addresses, the earliest activity goes back to October 2021.
The oldest domain identified as being part of China-backed cyber espionage campaigns is onlineeylity[.]com, registered on May 19, 2020, by a fake persona named Monica Burch, who claims to reside at 1294 Koontz Lane in Los Angeles, California.
“As such, we strongly urge any organization that believes itself to be at risk of Chinese espionage to search its DNS logs for the past five years for requests to any of the domains in our archive feed, or their subdomains,” Silent Push said.
“It would also be prudent to check for requests to any of the listed IP addresses, particularly during the time periods in which this actor operated them.”
