Salt Typhoon APT (Earth Estries/UNC2286): A Deep Technical Dive into Lateral Movement and How to Stop It

Ymir Vigfusson

April 29, 2025

Who Exactly is Salt Typhoon?

Salt Typhoon—also tracked as Earth Estries and UNC2286—isn't your everyday cybercriminal. They're an Advanced Persistent Threat (APT) group specializing in targeted espionage against telecoms, critical infrastructure, and government networks. Unlike financially motivated threat actors, Salt Typhoon’s main goal is persistent data exfiltration and intelligence gathering.

They leverage sophisticated malware—like SparrowDoor and Demodex—and exploit known vulnerabilities aggressively (for instance, Microsoft Exchange CVE-2023-23397) to get initial access. Once inside, they're masters at quietly expanding their access and control using lateral movement.

In this session, let’s step through exactly how Salt Typhoon achieves lateral movement, the technical shortcomings of existing defenses, and a definitive way to stop these attacks —using Keystrike.

Technical Breakdown: How Salt Typhoon Gets Initial Access

Salt Typhoon primarily gains entry using three main tactics:

Initial Access Technique Description Example / Tool
Spear-phishing Campaigns Targeted emails designed specifically for key individuals containing malicious attachments or links. Malware payloads such as SparrowDoor
Exploiting External Vulnerabilities Rapidly compromising externally facing systems by exploiting known software vulnerabilities. CVEs like CVE-2023-23397, deploying web shells/loaders
Supply Chain Attacks Compromising third-party software updates or vendors, bypassing direct security controls of victim networks. Infected vendor software updates

Regardless of method, the goal is always persistence and stealth.

How Salt Typhoon Lives off the Land

Here’s where things get interesting. After gaining initial footholds, Salt Typhoon immediately begins lateral movement—using compromised credentials and legitimate Windows tools to avoid detection.

Common techniques include:

1. Pass-the-Hash (PtH) and NTLM Relay

  • Capturing NTLM hashes stored in memory using tools like Mimikatz.
  • Authenticating to neighboring machines without ever needing plaintext passwords.

Example command that will appear like a normal PowerShell activity by an admin user. They won’t be as obvious as to name it after the exploit in a real situation:

2. PowerShell Remoting & WMI

  • Executing remote PowerShell commands or leveraging WMI scripts to silently spread across systems.

Typical attacker script:

Again, these methods mimic normal administrative behavior, making traditional endpoint detection ineffective.

3. Hijacking RDP Sessions

  • Leveraging compromised credentials to gain Remote Desktop Protocol access directly, avoiding MFA hurdles through session hijacking or token reuse.

Salt Typhoon expertly uses legitimate Windows tools—'living off the land'—to mask malicious actions behind authentic-looking admin activity.

Technical Gaps: Why Identity Security Doesn’t Stop Lateral Movement

Here’s the critical blind spot:

Identity-based security tools—MFA, PAM (Privileged Access Management), and Zero Trust policies—assume all traffic on properly authenticated and authorized sessions remain legitimate after initial verification. However, compromised credentials render these controls ineffective. 

Security Layer What It Covers Why It Fails with Salt Typhoon
MFA Verifies initial user login Hijacked session tokens pass MFA verification and appear legitimate
PAM Allows privilege escalation Legitimate admin commands generate no suspicious behavior alerts because the escalation occurs unaware of the compromised session
Zero Trust Verifies user identity continuously Compromised credentials meet identity conditions, bypassing Zero Trust entirely

In other words, traditional defenses fail in these (and many other) scenarios because they trust authenticated sessions implicitly. Salt Typhoon exploits this implicit trust to methodically escalate privileges and exfiltrate data undetected.

Introducing an Immutable Root of Trust: Keystrike

Stopping lateral movement isn't about stacking more identity checks. It’s about proving—continuously—that commands are being physically initiated by the right person, at the right machine. That’s exactly what Keystrike does.

How Keystrike Technically Works:

  • Hardware-based Verification: Keystrike cryptographically attests every keystroke and mouse click at the physical workstation.
  • Immutable Session Integrity: Commands lacking Keystrike validation are flagged instantly, stopping attackers who use remote or automated tools.

Here’s a real-world scenario of Keystrike in action:

An attacker with stolen credentials attempts to establish a Remote Desktop session to a domain controller:

mstsc.exe /v:DC-NY01

In a typical environment, this command would launch a full interactive session—giving the attacker keyboard-level access to the target system.

But in a Keystrike-protected environment, something critical happens: 

No physical input from a trusted workstation = RDP session denied.

Actionable Steps: What You Should Do Right Now

As security engineers, your job isn’t just understanding attacks—it's proactively closing gaps. Here’s your actionable checklist:

  1. Audit Current Sessions:
    • Review domain controller event logs for suspicious credential use.
    • Check and retain RDP connection logs for correlation with unusual session patterns.
  2. Assess Credential Hygiene:
    • Implement immediate password rotation on critical accounts.
    • Confirm use of least-privilege principles, limiting lateral exposure.
  3. Pilot Keystrike Immediately:
    • Deploy Keystrike agents on critical administrative workstations.
    • Establish alerting workflows for physical-verification failures.

These steps are critical not just for detection, but for permanently disabling Salt Typhoon’s lateral movement ability.

Trust but Verify Intent … Continuously

Salt Typhoon’s persistent threat teaches us an uncomfortable truth: implicit trust is dangerous. Attackers know exactly how to leverage your trust models against you. True cybersecurity requires continuous, immutable verification of physical user actions.

Keystrike fundamentally changes the rules of the game, not by layering another authentication check but by authenticating the physical origin of commands in the session. We always assume the session is compromised, and attest presence and intent accordingly.  This is the only definitive way to render lateral movement attacks by Salt Typhoon—or any advanced attacker—impossible. 

Your next action: Immediately implement continuous physical verification. Salt Typhoon’s stealth is only effective when your security relies solely on implicit trust.

Deploy Keystrike in 20 Minutes

Try Keystrike in Your Environment for 30 Days