How runZero keeps you ahead of state-sponsored cyber threats

Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats

Wes Hutcherson

Updated December 4, 2024, 1:30pm EST

China's state-sponsored cyber operations—aptly nicknamed with "Typhoon" monikers—have been brewing trouble for over a decade. From Violet to Salt Typhoon, these advanced persistent threat (APT) groups have been wreaking havoc on government entities, critical infrastructure, and other high-value targets. Their evolution highlights one thing loud and clear: attackers are always one step ahead, looking for the weakest link.

But fear not—there’s a way to outpace these storms. Let’s break down what these Typhoons have been up to and how runZero brings calm to the chaos with unparalleled visibility and proactive defense.

The Typhoon Timeline: An Evolution of Threats #

The Typhoon story began with Violet Typhoon, which stuck to the basics: phishing, exploiting known vulnerabilities, and going after traditional IT systems. They were your typical “steal the sensitive data and run” kind of crew.

Then came Volt Typhoon, which shifted focus to U.S. critical infrastructure. They embraced "living off the land" techniques, cleverly blending into hybrid IT and OT environments while avoiding detection. Think of them as the first innovators of the Typhoons.

Not to be outdone, Flax Typhoon targeted IoT devices like cameras and DVRs, transforming these "unimportant" devices into powerful botnets. It was a wake-up call for organizations ignoring their IoT inventory.

And now, Salt Typhoon has arrived, skillfully exploiting IT, OT, and IoT systems with alarming precision. Their primary focus? Telecommunications providers and ISPs, where they leverage trusted devices and connections to steal customer call records, compromise private communications—particularly those of individuals involved in government or political activities—and access sensitive information tied to U.S. law enforcement requests under court orders.

Why Visibility is the Game-Changer #

The Typhoon saga reveals one critical truth: attackers will find the blind spots in your network. Whether it’s a forgotten IoT device, an outdated VPN concentrator, or a misconfigured firewall, these gaps become open doors for adversaries.

That’s why visibility—complete visibility—is key to staying ahead. Enter runZero.

How runZero Helps You Outmaneuver Salt Typhoon #

Salt Typhoon thrives on exploiting edge devices and blending into your network. But runZero makes their job infinitely harder. Here’s how we give you the upper hand:

Proactive Edge Discovery: With real-time scanning and unmatched fingerprinting capabilities, runZero identifies every device—routers, firewalls, switches—before attackers can. Firmware versions? Check. Misconfigurations? Double-check.
Mapping Internal Pathways: Once inside, attackers aim to move laterally. runZero lights up internal pathways, exposing high-risk devices and connections that could serve as stepping stones for adversaries.
Correlating Internal and External Risks: Unlike siloed tools, runZero connects the dots between internal and external assets, revealing shared vulnerabilities and dependencies. That’s insight no other platform offers.
Risk-Based Prioritization: runZero doesn’t just throw vulnerabilities at you. It ranks them by exploitability, exposure pathways, and criticality, so you can tackle the most pressing issues first.
Continuous Monitoring: Networks change constantly, and so do risks. With runZero’s continuous discovery, you’ll always have an up-to-date picture of your attack surface.

Actionable Insights for Real-World Defense #

Need proof of what runZero can do? Let’s take CISA’s latest guidance tailored to counter Salt Typhoon’s tactics and the queries you can use in the runZero platform to identify assets at risk.

Strengthening Visibility: Monitoring: Network Engineers #

If feasible, limit exposure of management traffic to the Internet. Only allow management via a limited and enforced network path, ideally only directly from dedicated administrative workstations. Do not manage devices from the internet. Only allow device management from trusted devices on trusted networks.

# Service Query
(type:router OR type:switch OR type:firewall) AND (port:80 OR port:443) AND has_public:true

Monitor user and service account logins for anomalies that could indicate potential malicious activity. Validate all accounts and disable inactive accounts to reduce the attack surface. Monitor logins occurring internally and externally from the management environment.

# Users Query
alive:t AND (
  isDisabled:true
OR
  (source:googleworkspace suspended:t)
OR
  (source:googleworkspace isEnforcedIn2Sv:f)
OR
  (has:accountExpiresTS)
OR
  (isDisabled:true)
OR
  (passwordExpired:true OR msDS-UserPasswordExpiryTimeComputedTS:<now))

Ensure the inventory of devices and firmware in the environment are up to date to enable effective visibility and monitoring. runZero can track and incorporate end-of-life data from a variety of sources.

# Asset Query
os_eol_expired:t

Monitoring: Network Engineers #

Closely monitor all devices that accept external connections from outside the corporate network

# Asset Query
has_public:t

IPsec tunnel usage

# Service Query
protocol:ike

Hardening Systems & Devices: Protocols and Management Processes: Network Engineers #

Additionally, as a general strategy, put devices with similar purposes in the same VLAN. For example, place all user workstations from a certain team in one VLAN, while putting another team with different functions in a separate VLAN. runZero’s innovative outlier score can help locate devices that don’t look like others in the same site.

# Asset Query
outlier:>=2

if using Simple Network Management Protocol (SNMP), ensure only SNMP v3 with encryption and authentication is used

# Service Query
protocol:snmp1 or protocol:snmp2 or protocol:snmp2c

Disable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP).

# Service Query
protocol:cdp

Ensure Transport Layer Security (TLS) v1.3 is used on any TLS-capable protocols to secure data in transit over a network.

# Service Query
tls.supportedVersionNames:"SSL" OR tls.supportedVersionNames:"TLSv1.0" OR tls.supportedVersionNames:"TLSv1.1" OR tls.supportedVersionNames:"TLSv1.2"

Disable Secure Shell (SSH) version 1.

# Service Query
banner:"SSH-1"

Hardening Systems & Devices: Protocols and Management Processes: Network Defenders #

Disable any unnecessary, unused, exploitable, or plaintext services and protocols, such as Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol (HTTP) servers, and SNMP v1/v2c

# Service Query
protocol:telnet OR protocol:ftp OR protocol:tftp OR banner:"SSH-1" OR (protocol:http AND NOT protocol:tls) OR protocol:snmp1 OR protocol:snmp2 OR protocol:snmp2c

Conduct port-scanning and scanning of known internet-facing infrastructure

# Service Query
has_public:t

The Final Word #

The Typhoon threat is real, but with runZero, you don’t have to weather the storm alone. Whether you’re facing state-sponsored attackers like Salt Typhoon or just trying to get a handle on your sprawling network, runZero does more than uncover what’s hiding in your network—we redefine what’s possible in exposure management. Our agentless, credential-free approach means you get instant insights without the hassle. And our advanced fingerprinting technology? It’s second to none, giving you detailed device profiles that competitors can only dream of.

But it’s not just about tech; it’s about speed and adaptability. As networks grow more complex and threats more advanced, runZero ensures you’re always one step ahead of these Typhoons no matter how their tactics evolve. From shadow IT to unmanaged IoT, we uncover everything—because the very things you didn’t know existed are exactly what these attackers are looking for.