Suspected Salt Typhoon Spies Lurking in European Telco
upstart writes:
It's Typhoon season...year round:
China's Salt Typhoon gang appears to have successfully attacked a European telecommunications firm, according to security researchers at Darktrace.
Salt Typhoon is an espionage gang linked to the People's Republic of China that hacked America's major telecommunications firms and stole metadata and other information belonging to "nearly every American," according to a top FBI cyber official who spoke with The Register about the intrusions.
The crew's actions against US telcos came to light last year; however, it has been active since at least 2019 using tactics including exploiting edge devices, planting backdoors for stealthy, long-term network access, and stealing sensitive data across more than 80 countries.
Today's Darktrace report is the latest indication that Salt Typhoon is still actively targeting high-value networks and using stealthy techniques to avoid being caught.
In the European telco intrusion described by Darktrace, the suspected spies exploited a buggy Citrix NetScaler Gateway appliance in the first week of July 2025 to gain access to the telecom's network, according to the AI-powered security shop's research team.
While Darktrace doesn't say which flaw(s) the suspected Chinese snoops abused to break in, Citrix had a busy summer patching security holes in its NetScaler Gateway products that had already been found and exploited by attackers.
"We didn't confirm which one," Nathaniel Jones, field CISO and VP of security and AI strategy at Darktrace, told The Register. "Given the timing, defenders were concurrently patching recent NetScaler flaws (e.g., CVE-2025-5349, CVE-2025-5777 in June)."
[...] After compromising the Citrix NetScaler appliance, the Salt Typhoon miscreants pivoted to Citrix Virtual Delivery Agent (VDA) hosts in the client's Machine Creation Services (MCS) subnet component. "Initial access activities in the intrusion originated from an endpoint potentially associated with the SoftEther VPN service, suggesting infrastructure obfuscation from the outset," Darktrace's threat hunters wrote in a Monday blog.
Read more of this story at SoylentNews.