Earth Estries

Threat Actor updated 5 months ago (2024-11-29T14:05:07.857Z)

Download STIX

Preview STIX

Earth Estries, also known as Salt Typhoon, FamousSparrow, GhostEmperor, and UNC2286, is a sophisticated threat actor that has been conducting long-term espionage attacks against government entities and other targets since 2020. Originating from the People's Republic, Earth Estries ranks among the most advanced persistent threats (APT). The group displays a keen understanding of their target environments, continually identifying exposed layers for re-entry. With access to targeted networks, Earth Estries can deploy a diverse arsenal of powerful payloads, including new backdoors like Crowdoor, tools like Cobalt Strike, Zingdoor, and Snappybee, which are consistently being built out. The modus operandi of Earth Estries involves exploiting vulnerabilities in web-based adapter management tools like QConvergeConsole and vulnerable Exchange servers. In one infection chain, Earth Estries exploited these vulnerabilities using tools like Cobalt Strike, Hemigate, and Crowdoor delivered via CAB file packages. In another, they capitalized on vulnerable Exchange servers, making use of web shells such as ChinaChopper and additional backdoors like Zingdoor, SnappyBee, and Cobalt Strike. These tactics highlight the diversity of Earth Estries' toolkit and their strategic approach to maintaining access and control within compromised environments. Earth Estries employs various loading methods for its tools, particularly Cobalt Strike, and collects user credentials to further its objectives. Our analysis reveals a sophisticated and adaptable threat actor that not only demonstrates high technical capabilities but also a strategic approach to prolonged cyber operations. The group uses a range of RAR commands over the course of its campaigns, indicating a comprehensive understanding of their target environments. It is crucial to continue monitoring this threat actor given their consistent evolution and the potential risk they pose to governments and organizations worldwide.

Description last updated: 2024-11-28T11:53:12.634Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Salt Typhoon is a possible alias for Earth Estries. Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is a threat actor linked to China's Ministry of State Security. Active since at least 2020, this advanced persistent threat (APT) group has a history of targeting U.S. systems for intelligence gathering, particularl	3
Famoussparrow is a possible alias for Earth Estries. FamousSparrow, also known as Salt Typhoon and GhostEmperor, is a threat actor attributed to a China-linked Advanced Persistent Threat (APT) group. The cybersecurity industry has been tracking the activities of this malicious entity since 2019. FamousSparrow has been associated with China's Ministry	3
APT41 is a possible alias for Earth Estries. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activi	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Apt

Espionage

Lateral Move...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Earth Estries Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	11 days ago	You will always remember this as the day you finally caught FamousSparrow
InfoSecurity-magazine	25 days ago	Chinese Spy Group FamousSparrow Back with a Vengeance, Targets US
Securityaffairs	a month ago	UAT-5918 ATP group targets critical Taiwan
DARKReading	4 months ago	Governments, Telcos Ward Off China's Hacking Typhoons
DARKReading	5 months ago	Salt Typhoon Builds Out Malware Arsenal With GhostSpider
Trend Micro	5 months ago	Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber Operations
CERT-EU	a year ago	Tales Of Valhalla - March 2024 - Nextron Systems
CERT-EU	2 years ago	NextGen Security Tooling: Investments in Intelligence – Mike Coogan – CSP #142
CERT-EU	2 years ago	Mysterious 'Sandman' Threat Actor Targets Telecom Providers Across Three Continents
CERT-EU	2 years ago	Mopria, Cisco, Seimens , Word, DarkGate, AP Stylebook, More News, and Jason Wood – SWN #324
CERT-EU	2 years ago	‘Earth Estries’ Cyberespionage Group Targets Government, Tech Sectors
CERT-EU	2 years ago	Earth Estries Targets Government, Tech for Cyberespionage \| IT Security News
CERT-EU	2 years ago	Leftover Links 01/09/2023: University of Michigan Pays Massive Price for Using Microsoft
BankInfoSecurity	2 years ago	'Earth Estries' APT Hackers Are Cyberespionage Pros
InfoSecurity-magazine	2 years ago	Sophisticated Cyber-Espionage Group Earth Estries Exposed
CERT-EU	2 years ago	Cyber Security Week in Review: September 1, 2023
CERT-EU	2 years ago	APT Group Earth Estries Runs Espionage Campaigns Against US, Others
CERT-EU	2 years ago	Stealthy APT exposed: TTPs spill secrets of sophisticated campaigns
CERT-EU	2 years ago	Earth Estries' Espionage Campaign Targets Governments and Tech Titans Across Continents
CERT-EU	2 years ago	Earth Estries' Espionage Campaign Targets Governments and Tech Titans Across Continents – GIXtools