Hacking Group Earth Estries Targets Global Industries In Espionage Campaigns

Earth Estries, a Chinese hacking group, targets global industries with advanced malware, exploiting vulnerabilities and conducting long-term espionage across critical sectors.

Salt Typhoon recently gained attention for a China-linked espionage campaign compromising U.S. telecom giants like Verizon, AT&T, Lumen Technologies, and T-Mobile, as noted in The Record. The attackers reportedly accessed customer call data, focusing on individuals linked to government or political activities.

On Monday, cybersecurity firm Trend Micro reported another campaign linked to Earth Estries, their term for Salt Typhoon, targeting Southeast Asian telecoms with a new backdoor tool called GhostSpider.

The Chinese cyber-espionage group, Earth Estries, has been targeting critical industries globally, including telecommunications and government sectors, since 2023.

The group has infiltrated over 20 organizations across the U.S., Asia-Pacific, the Middle East, and South Africa, employing advanced techniques to conduct long-term spying operations. Victims also include companies in technology, consulting, chemical, and transportation industries, as well as non-profits and government agencies.

Earth Estries exploits vulnerabilities in public-facing servers to gain initial access, using legitimate system tools, known as “living-off-the-land binaries,” to move undetected within networks.

Once inside, the group deploys custom malware like GHOSTSPIDER, SNAPPYBEE, and MASOL RAT to establish control and extract sensitive information.

Recent attacks have revealed that GHOSTSPIDER, a modular backdoor, is designed to load different tools for specific tasks, enabling the group to adapt its tactics while evading detection. The group’s operations show a high level of coordination, with different teams managing specific aspects of their campaigns.

Overlaps in their tactics, techniques, and procedures with other Chinese hacking groups suggest shared tools, possibly through underground marketplaces offering malware as a service.

Investigations into Earth Estries have highlighted their focus on telecommunications and government networks, often targeting vendor systems to gain indirect access to their primary objectives.

In one case, they used the DEMODEX rootkit to compromise machines belonging to a major telecommunications contractor, allowing them to expand their reach undetected.

Analysts note that Earth Estries’ operations extend from edge devices to cloud systems, making them particularly difficult to identify and mitigate.

Their techniques include exploiting server vulnerabilities and deploying sophisticated tools to maintain persistence within their targets’ networks. Experts warn that Earth Estries’ activities demonstrate the growing complexity of cyber-espionage campaigns.

Organizations are urged to strengthen their cybersecurity defenses by addressing known vulnerabilities, monitoring network activity, and deploying advanced threat detection systems to detect and block attacks early in the process.

Trend Micro emphasize the need for proactive measures as Earth Estries continues to evolve its strategies, posing a serious threat to global industries and governments alike.