[ACCESS GRANTED] /// TATT-DB: ACTOR PROFILE LOADED ///

> Salt Typhoon

[pwnbase.io V.2.1.0_FUI]

/// CORE METADATA
PRIMARY ROLE: Nation-State Actor (China) / Espionage
STATUS: ACTIVE / HIGH THREAT
MOTIVATION: Espionage
TARGETS: Telecommunications, Government (Treasury), Critical Infrastructure
USERNAMES: None Publicly Listed
/// DATASET: MOST POPULAR BREACHES & SALES LOG (2 records)
[US Treasury Department] Dec 2024 | Data: Access to workstations and unclassified documents.. Context: Exploited vulnerabilities in third-party remote support software (BeyondTrust)..
[Nine US Telecoms (AT&T, Verizon, etc.)] 2024 | Data: Call metadata, geolocation, and access to US law enforcement wiretapping systems (CALEA).. Context: Access persisted for over a year; used vulnerabilities in Versa, Fortinet, and Cisco devices..
/// TTP MAPPING: MITRE ATT&CK FRAMEWORK
Tactic MITRE ID Technique Description Defense Focus
[Defense Evasion] T1036.005 Masquerading: Uses legitimate user accounts and "Living off the Land" (LotL) tools to blend in with network admin activity. UEBA, Continuous Authentication, Baseline Activity Monitoring
[Initial Access] T1190 Exploit Public-Facing App: Exploited zero-day in Versa Director and vulnerabilities in unpatched Fortinet/Cisco network devices. Proactive Patch Management (KEVs), Network Device Hardening
[Impact] T1537 Access to CALEA Wiretapping Systems: Goal was obtaining a complete list of phone numbers under US surveillance. Strict Access Control, Network Segmentation for Sensitive Systems
/// WEAPONIZATION: KEY TOOLS & ARTIFACTS
BeyondTrust Vulns [Initial Access Exploits] LotL Tools [Living off the Land (Native OS Tools)] Versa/Fortinet Exploits [Zero-Day/Exploit Kits]

[END OF FILE]