State-sponsored hackers backed by Beijing have breached multiple U.S. internet service providers (ISPs) in a cyber espionage campaign aimed at extracting sensitive information, according to a report by The Wall Street Journal.
The cyberattacks have been linked to a threat group Microsoft identifies as Salt Typhoon, also known as FamousSparrow and GhostEmperor.
“Investigators are looking into whether the attackers compromised Cisco Systems routers, critical components that direct much of internet traffic,” the report stated, citing sources familiar with the investigation.
The primary objective of the campaign is to establish a lasting presence within the networks of targeted organizations, allowing the attackers to gather sensitive data or potentially launch destructive cyberattacks.
GhostEmperor was first exposed in October 2021 by Russian cybersecurity firm Kaspersky, which uncovered its stealthy campaign in Southeast Asia using a rootkit called Demodex.
The group’s targets have included major organizations in Malaysia, Thailand, Vietnam, and Indonesia, as well as entities in Egypt, Ethiopia, and Afghanistan.
In July 2024, cybersecurity firm Sygnia disclosed that an unnamed client had been compromised by the group in 2023, enabling them to infiltrate a business partner’s network. “During the investigation, several compromised systems were found communicating with command-and-control servers using a variant of the Demodex tool,” Sygnia noted.
This report comes shortly after the U.S. government dismantled a botnet of 260,000 devices, known as Raptor Train, controlled by another Chinese state-sponsored group called Flax Typhoon.
These incidents highlight a continued pattern of Chinese-backed cyberattacks targeting telecommunications, ISPs, and critical infrastructure sectors.