China-Backed Hackers Used 45 Hidden Domains in Telecom Cyber Attacks

Home/cyberattack, Cybersecurity, Exploitation, hackers, Tips/China-Backed Hackers Used 45 Hidden Domains in Telecom Cyber Attacks

China-Backed Hackers Used 45 Hidden Domains in Telecom Cyber Attacks

Threat hunters recently found 45 secret domains linked to Salt Typhoon, a China-backed hacking group. These domains, some created in May 2020, show their cyber espionage started years before the 2024 telecom attacks. For example, the oldest domain, onlineeylity[.]com, was registered on May 19, 2020, using a fake name, Monica Burch, with a false Los Angeles address.

Salt Typhoon’s Sneaky Tactics

Since 2019, Salt Typhoon, also known as UNC4841, has targeted sensitive systems. They exploited a major flaw, CVE-2023-2868, in Barracuda Email Security Gateway systems. This flaw, with a severity score of 9.8, allowed hackers to access emails. Additionally, Silent Push, a cybersecurity firm, noted these domains connect to high-density IP addresses, hosting many websites. Some low-density IPs date back to October 2021.

Links to Other Hacking Groups

Interestingly, Salt Typhoon shares methods with groups like Earth Estries, FamousSparrow, GhostEmperor, and UNC5807. For instance, they targeted U.S. telecom companies in 2024, focusing on critical systems. Moreover, 16 domains were registered using Proton Mail emails tied to fake addresses, showing their clever tricks to stay hidden.

Implications for Global Cybersecurity

This exposure of 45 unreported domains in Salt Typhoon operations serves as a wake-up call for organizations worldwide, especially those in high-risk sectors like telecommunications and government. The longevity of this campaign—spanning from 2019 to the present—highlights the persistent nature of state-sponsored cyber threats from actors like Salt Typhoon.

Experts at Silent Push urge immediate action: “As such, we strongly urge any organization that believes itself to be at risk of Chinese espionage to search its DNS logs for the past five years for requests to any of the domains in our archive feed, or their subdomains. It would also be prudent to check for requests to any of the listed IP addresses, particularly during the time periods in which this actor operated them.”

Protecting Against These Threats

This discovery highlights the danger of China-linked cyber threats. Silent Push advises checking DNS logs for the past five years for these domains or IPs. Also, organizations should:

  • Update systems to fix vulnerabilities like CVE-2023-2868.
  • Watch for suspicious subdomains or IPs.
  • Share threat information to stay ahead of hackers.

In conclusion, these 45 domains reveal Salt Typhoon’s long-running espionage. Therefore, telecoms and governments must act fast to strengthen cybersecurity defenses against such advanced threats.

Post Views: 39
By | 2025-09-09T12:07:54+05:30 September 9th, 2025|cyberattack, Cybersecurity, Exploitation, hackers, Tips|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!