Ymir Vigfusson
April 29, 2025
Salt Typhoon—also tracked as Earth Estries and UNC2286—isn't your everyday cybercriminal. They're an Advanced Persistent Threat (APT) group specializing in targeted espionage against telecoms, critical infrastructure, and government networks. Unlike financially motivated threat actors, Salt Typhoon’s main goal is persistent data exfiltration and intelligence gathering.
They leverage sophisticated malware—like SparrowDoor and Demodex—and exploit known vulnerabilities aggressively (for instance, Microsoft Exchange CVE-2023-23397) to get initial access. Once inside, they're masters at quietly expanding their access and control using lateral movement.
In this session, let’s step through exactly how Salt Typhoon achieves lateral movement, the technical shortcomings of existing defenses, and a definitive way to stop these attacks —using Keystrike.
Salt Typhoon primarily gains entry using three main tactics:
Regardless of method, the goal is always persistence and stealth.
Here’s where things get interesting. After gaining initial footholds, Salt Typhoon immediately begins lateral movement—using compromised credentials and legitimate Windows tools to avoid detection.
Common techniques include:
1. Pass-the-Hash (PtH) and NTLM Relay
Example command that will appear like a normal PowerShell activity by an admin user. They won’t be as obvious as to name it after the exploit in a real situation:
2. PowerShell Remoting & WMI
Typical attacker script:
Again, these methods mimic normal administrative behavior, making traditional endpoint detection ineffective.
3. Hijacking RDP Sessions
Salt Typhoon expertly uses legitimate Windows tools—'living off the land'—to mask malicious actions behind authentic-looking admin activity.
Here’s the critical blind spot:
Identity-based security tools—MFA, PAM (Privileged Access Management), and Zero Trust policies—assume all traffic on properly authenticated and authorized sessions remain legitimate after initial verification. However, compromised credentials render these controls ineffective.
In other words, traditional defenses fail in these (and many other) scenarios because they trust authenticated sessions implicitly. Salt Typhoon exploits this implicit trust to methodically escalate privileges and exfiltrate data undetected.
Stopping lateral movement isn't about stacking more identity checks. It’s about proving—continuously—that commands are being physically initiated by the right person, at the right machine. That’s exactly what Keystrike does.
How Keystrike Technically Works:
Here’s a real-world scenario of Keystrike in action:
An attacker with stolen credentials attempts to establish a Remote Desktop session to a domain controller:
mstsc.exe /v:DC-NY01
In a typical environment, this command would launch a full interactive session—giving the attacker keyboard-level access to the target system.
But in a Keystrike-protected environment, something critical happens:
No physical input from a trusted workstation = RDP session denied.
As security engineers, your job isn’t just understanding attacks—it's proactively closing gaps. Here’s your actionable checklist:
These steps are critical not just for detection, but for permanently disabling Salt Typhoon’s lateral movement ability.
Salt Typhoon’s persistent threat teaches us an uncomfortable truth: implicit trust is dangerous. Attackers know exactly how to leverage your trust models against you. True cybersecurity requires continuous, immutable verification of physical user actions.
Keystrike fundamentally changes the rules of the game, not by layering another authentication check but by authenticating the physical origin of commands in the session. We always assume the session is compromised, and attest presence and intent accordingly. This is the only definitive way to render lateral movement attacks by Salt Typhoon—or any advanced attacker—impossible.
Your next action: Immediately implement continuous physical verification. Salt Typhoon’s stealth is only effective when your security relies solely on implicit trust.
Try Keystrike in Your Environment for 30 Days