Breach Analyses

Salt Typhoon Hits Orange

French telecom Orange S.A. suffered a Salt Typhoon APT attack on 25 July 2025. Learn the TTPs, business impact, NIS2/DORA exposure and concrete defence steps.
Ev
Evangeline
Jul 30, 2025
Salt Typhoon Hits Orange
Contents
Another strike linked to China‑backed Salt Typhoon APT - 2025 Telecom Cyberattack1. Executive Summary2. Incident Timeline3. Threat Actor Profile – Salt Typhoon4. Technical Analysis5. Impact & Regulatory Lens6. Mitigation & Hardening Checklist7. Strategic Take‑Away8. Further Reading

Another strike linked to China‑backed Salt Typhoon APT - 2025 Telecom Cyberattack

Published 30 July 2025

1. Executive Summary

On 25 July 2025, French telecom giant Orange S.A. detected and contained a cyber‑intrusion that disrupted several business‑customer management platforms. Preliminary forensics—and a growing body of outside analysis—tie the TTPs to the China‑linked Salt Typhoon APT (a.k.a. Ghost Emperor / Famous Sparrow). Salt Typhoon specialises in covert, “living‑off‑the‑land” espionage against telecom infrastructure. Orange reports no customer‑data theft so far, but service interruptions and regulatory disclosures highlight Europe’s rising bar for operational resilience under NIS2 and DORA.

2. Incident Timeline

Date/Time (CEST)

Event

25 Jul 03:28

Security monitoring flags anomalous PowerShell execution on an internal management server.

25 Jul 06:10

Orange Cyberdefense isolates the affected network segment; some B2B portals go offline.

25 Jul 12:00

Formal incident declaration; French ANSSI notified.

27 Jul 09:00

Public press release confirms “sophisticated actor” and absence of customer PII exfiltration.

30 Jul

Services expected to be fully restored; investigation ongoing.

3. Threat Actor Profile – Salt Typhoon

Attribute

Detail

Aliases

Ghost Emperor, Famous Sparrow, Earth Estrie, UNC2286

Assessed Sponsor

China’s Ministry of State Security (MSS)

Primary Targets

Telecoms, satellite operators, defence, government agencies

Notable Victims

AT&T, Verizon, Viasat, US Army National Guard, multiple EU telcos (2024‑25)

Objectives

Long‑term espionage, lawful‑intercept access, metadata harvesting

TTPs

– Exploit edge‑device vulnerabilities (VPNs, SBCs)
– Use LOLBins (certutil, wmic, netsh) to evade detection
– Maintain long dwell via custom backdoors and stolen admin creds

4. Technical Analysis

Initial Access
Salt Typhoon likely leveraged an unpatched VPN appliance to obtain a foothold before pivoting to a Windows jump‑host.

Privilege Escalation & Lateral Movement
The actor used built‑in PowerShell and wmic commands to create shadow admin accounts, consistent with prior campaigns.

Command & Control
Outbound traffic masqueraded as HTTPS to a cloud‑hosted C2, a hallmark of Salt Typhoon’s preference for “blend‑in” channels.

5. Impact & Regulatory Lens

Orange reports no evidence of customer‑data theft; however, service degradation met the French threshold for mandatory disclosure. Under NIS2 (effective Oct 2024) and DORA (Jan 2025 for financial entities), a similar outage at an “essential” provider could trigger fines up to €10 M or 2 % of global turnover and 72‑hour public notification.

6. Mitigation & Hardening Checklist

  1. Patch & Monitor Edge Devices
    24‑hour SLA for VPN, firewall and SBC security advisories.

  2. Zero Trust Segmentation
    Block lateral movement from management subnets to core service planes.

  3. LOLBin Detection Rules
    Monitor certutil, wmic and netsh for abnormal use.

  4. 24/7 Threat Hunting
    Hunt for long‑dwell artefacts: scheduled tasks, unusual DNS over HTTPS beacons.

  5. Table‑Top & Red‑Team Exercises
    Align recovery playbooks with 4‑hour DORA service restoration targets.

7. Strategic Take‑Away

Salt Typhoon reinforces that telecom infrastructure is the MSS crown‑jewel collection target. Compliance frameworks now demand proof of resilience, not just proof of patching. If edge devices aren’t hardened and staff aren’t drilled, your network is an open map.

“Resilience isn’t an add‑on—it is the plan.” — Marçal Santos

8. Further Reading

  1. Security Affairs – “Orange reports major cyberattack, warns of service disruptions.” 29 Jul 2025

  2. BleepingComputer – “French telecom giant Orange discloses cyberattack.” 29 Jul 2025

  3. Orange Press Release – “Complaint filed concerning a security incident.” 28 Jul 2025

  4. Varonis Threat Labs – “Salt Typhoon: The Threat Group Behind Major Cyberattacks.” Mar 2025

  5. Armis Labs – “Breaking Down Salt Typhoon.” Dec 2024

  6. Security Affairs – “Chinese APT compromises U.S. Army National Guard network.” 15 Jul 2025

Need to benchmark your telecom or enterprise network against Salt Typhoon’s playbook?

#SaltTyphoon #OrangeCyberAttack #TelecomSecurity #APT #OperationalResilience #NIS2 #DORA #CyberThreatIntelligence

Share article

Trescudo Blog

RSS·Powered by Inblog