If you follow cybersecurity closely, you’ve probably heard of Ghost Emperor. Also known as Salt Typhoon, FamousSparrow, or UNC2286, this Chinese state-sponsored threat group has quietly become one of the most sophisticated players in the cyber landscape. Over the years, they have evolved from targeting Southeast Asian governments to compromising major U.S. telecommunications companies. With tools like the Demodex rootkit and advanced endpoint detection and response (EDR) evasion techniques, they’ve shown a remarkable ability to persist undetected in critical systems for extended periods.

Major Operations: The Anatomy of a Ghost

Ghost Emperor is not just another Advanced Persistent Threat (APT). Their operations have been both strategic and bold, especially their attacks on U.S. telecom giants such as AT&T, Verizon, and Lumen Technologies. These breaches, discovered in late 2024, allowed them access to sensitive customer data, including call records, and possibly even compromised wiretap systems—a serious threat to U.S. national security.

In September 2024, the Wall Street Journal reported on Salt Typhoon's infiltration of U.S. internet service providers, putting the security of numerous officials at risk. This wasn’t just a wake-up call—it was an alarm bell for the entire industry. Beyond telecommunications, Ghost Emperor has carried out attacks across Southeast Asia, targeting government networks in countries like Malaysia, Thailand, Vietnam, and Indonesia between 2020 and 2021.

Their attacks haven’t been limited to telecoms. Ghost Emperor has also targeted law enforcement communication systems, which could compromise sensitive police operations and investigations. In August 2024, they reappeared with an updated version of their Demodex rootkit, highlighting their commitment to continuously improving their tools and techniques.

State-Sponsored and Here to Stay

There is little doubt that Ghost Emperor is backed by the Chinese government. Evidence shows clear links to China’s Ministry of State Security and collaboration with other Chinese threat groups, like Volt Typhoon and Flax Typhoon. Their operations align perfectly with Chinese strategic interests, making it evident that Salt Typhoon is part of a broader, coordinated effort to expand China’s influence through cyber means.

The Arsenal: Ghost in the Machine

Ghost Emperor’s toolkit is impressively advanced. The Demodex rootkit is one of their key assets—a multi-stage malware that infiltrates deep into the Windows kernel, evading defenses such as Driver Signature Enforcement. Their software can employ legitimate Microsoft tools, perform dynamic function loading, and encrypt configurations, all while disguising itself as multimedia traffic.

To make detection even harder, Ghost Emperor hosts its command-and-control (C2) traffic on Amazon Web Services (AWS) servers. This tactic makes their traffic blend in with legitimate cloud activity, complicating the work of security analysts trying to identify malicious behavior.

Countermeasures: Building Stronger Walls

How do we defend against groups like Ghost Emperor? We need to go beyond basic cybersecurity protections. Advanced endpoint detection and response (EDR) systems are crucial, along with implementing the principle of least privilege to minimize potential damage. Regular penetration tests, better segmentation of network traffic, and consistent employee training to recognize sophisticated phishing tactics are also key defenses.

However, playing defense is not enough. Organizations must take a proactive stance. Leveraging threat intelligence feeds to stay ahead of emerging threats and having a well-prepared incident response plan are essential. Reaction time makes all the difference when combating a group this advanced.

We also need to better identify our most vulnerable critical infrastructure companies and ensure they receive the resources necessary to defend against advanced threats. By levying fines on multi-billion-dollar corporations that fail to meet cybersecurity standards, we can use those funds to strengthen the defenses of our critical infrastructure across the board.

Ghost Emperor and the Bigger Picture: Critical Infrastructure

Salt Typhoon is part of a growing wave of APTs targeting critical infrastructure. They aren’t the only ones; groups like Volt Typhoon have targeted the U.S. energy and transportation sectors, while Russia’s ELECTRUM has aimed at Ukraine’s energy grid. These groups are not interested in quick financial gains; they are embedding themselves in systems that could be pivotal during future conflicts.

The impact of these groups extends beyond a single incident. Every compromised telecom network or power grid leaves vulnerabilities that others can exploit. The risks are very real and immediate, with serious implications for national security and economic stability.

The Policy Failure: Why Red Lines Don’t Work in Cyber

For years, policymakers have relied on the idea of "red lines" in cyberspace, assuming that adversaries would avoid crossing certain thresholds. Ghost Emperor’s operations show that these red lines are largely meaningless in the context of today’s cyber warfare. APT groups thrive on the ambiguity of international norms, pushing the boundaries without triggering direct retaliation.

The difficulty of attribution adds to the problem. Gray zone tactics are slow, incremental, and often below the threshold of traditional conflict, making it hard for defenders to justify a decisive response. We need adaptive deterrents—graduated responses that align with the scale and type of threat we’re facing.

We need better attribution technology, stronger international cooperation, and a focus on resilience. Relying on outdated reactive strategies will only encourage further attacks. Instead, we need to build systems that can withstand long-term attacks and aren’t afraid to impose meaningful costs on the attackers.

Share

No More Ghost Stories

We need to stop acting like our old methods of deterrence are effective. Ghost Emperor has demonstrated that their patience, adaptability, and technical skills can outmaneuver outdated cybersecurity policies. A comprehensive, resilience-oriented strategy that includes proactive engagement is our best bet for keeping them at bay. Otherwise, we’re just telling ghost stories—warning each other of dangers without ever taking real action to confront them.