An advanced Salt Typhoon APT, Chinese state-sponsored hacking group, is targeting European telecommunications providers with a new backdoor malware, Snappy Bee, to steal sensitive data and establish a protracted persistence in the EU’s infrastructure.
The Salt Typhoon cyberattack exploited trusted software relationships to infiltrate networks, using SnappyBee to exfiltrate data and maintain covert access.
The targeting coincides with contentious political debates in the EU over a proposed telecom overhaul. EU telcos are tuning the trumpets of warning over how mandatory networks’ fees could strain the very investments needed to empower cybersecurity defenses against similar threats.
The attempted Salt Typhoon attack shows the excessive pressure facing Europe’s telecom industry. Operators are forced to spend more on cybersecurity issues while governments impose additional regulatory and financial burdens.
Salt Typhoon Telecom Cyberattacks
Chinese Salt Typhoon, also known as Earth Estries or UNC5807, has built a notorious reputation for infiltrating telecommunications networks worldwide.
In the recent case, Darktrace reported that the group exploited a vulnerability in a Citrix NetScaler Gateway appliance to gain primary access before attempting to move laterally through the telecom internal systems.
“Darktrace observed activity in a European telecommunications organisation consistent with Salt Typhoon’s known tactics, techniques and procedures (TTPs), including dynamic-link library (DLL) sideloading and abuse of legitimate software for stealth and execution,” the company stated in an interview on Monday.
The hackers reportedly used SNAPPYBEE (also known as Deed RAT), a backdoor tool shared by several Salt Typhoon APT groups and concealed malicious payloads by pairing them with trusted antivirus software like Norton and IObit Malware Fighter.
“This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads.”
“Salt Typhoon and similar groups have a history of employing this technique, enabling them to execute payloads under the guise of trusted software and bypassing traditional security control,” Darktrace analysts added.
Fortunately, the intrusion was detected before telecom Chinese hackers could dig deeper into the network. The group, active for over five years, has previously targeted US telecom operators, Canadian providers, and even satellite communications firms such as ViaSat. Western agencies say these operations are part of a larger Chinese intelligence effort to intercept communications and track global targets.
A joint advisory from Western cybersecurity bodies recently warned that companies supporting Salt Typhoon attacks “provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security.”
Vice President and Advisory CISO Worldwide at BlackBerry, Gregory Richardson, stated that communications networks have become main targets for Chinese telecom hackers driven by purposes ranging from corporate espionage to geopolitical influence.
Darktrace emphasized that the Salt Typhoon telecom attack evolving tactics its secrecy, persistence, and reliance on trusted software make it particularly difficult to detect through traditional cybersecurity defenses.
EU 5G Network Security Threats and Mandatory Fees
While Salt Typhoon APT cyber threats intensify, European telecom operators are also wrestling with new financial pressures from the EU’s proposed Digital Networks Act (DNA).
The law, expected to be stated by the European Commission later this year, introduces mandatory fees aimed at funding 5G and network infrastructure, alongside strengthened cybersecurity obligations.
However, a coalition of 84 industry and consumer organizations, including the European Broadcasting Union (EBU) and European Digital Rights (EDRi), has voiced strong opposition to the plan. In a joint statement, they argued that imposing a so called “fair share” fee would risk driving up costs, limiting choice and open access to information, and undermining the affordability, quality, and diversity of digital products and services regarding the attack of telecom infrastructure.
The example of cyber espionage telecommunications insists that telecom infrastructure investments are vital to secure Europe’s digital sovereignty. Yet, for many smaller and midsized operators already stretched thin by cyber defense costs and compliance demands, these new financial requirements may prove weak.
As the EU pushes for more resilient 5G networks amid mounting geopolitical tensions, cybersecurity spending is becoming both a necessity and a liability. For telecoms, Chinese hacker’s telecom cyber espionage campaigns serve as a complete reminder that defending against sophisticated foreign threats is no longer optional if it’s factual.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Cybersecurity sections to stay informed and up-to-date with our daily articles.