The write‑up explores a persistent challenge in cybersecurity: properly attributing cyberattacks—especially with complex actors like "Salt Typhoon."

Salt Typhoon is a Chinese-linked hacking group also known by names like GhostEmperor, FamousSparrow, Earth Estries, and UNC2286. Public reporting on Salt Typhoon surged in late 2024 after media outlets revealed major intrusions into U.S. telecommunications firms. But attribution remains murky.

The confusion stems from weak or speculative links tying Salt Typhoon to other groups. Different cybersecurity companies—like Microsoft, ESET, Kaspersky, Trend Micro—have each used different naming schemes and linked Salt Typhoon to historical actors such as GhostEmperor and FamousSparrow based on similar tactics or vulnerabilities. For example, both those groups exploited the ProxyLogon vulnerability—but this technique was widespread across many threat actors, not unique to them.

Trend Micro’s “Earth Estries” was later suggested to overlap with Salt Typhoon, GhostEmperor, and FamousSparrow. At the same time, malware tied to FamousSparrow (like “CrowDoor”) was linked to a different Chinese-aligned actor, Tropic Trooper—making the web of connections even more tangled.

Amid all this hype, one solid piece of evidence does emerge: a U.S. Treasury OFAC designation connects Salt Typhoon operations to a Chinese cybersecurity contractor, Sichuan Juxinhe Network Technology Co., which works closely with China’s Ministry of State Security (MSS). That offers a hard linkage to Chinese government-backed espionage.

But beyond that, most public attributions rely on superficial similarities rather than hard proof. The article warns that treating Salt Typhoon as simply a continuation of past actors like GhostEmperor or FamousSparrow could mislead analysts into preparing for threats that aren’t truly relevant.

In short, while Salt Typhoon is real and tied to Chinese state espionage, mixing it up with other groups based on behavioral overlaps risks poor defense strategies. Teams should be cautious, evaluate evidence carefully, and resist drawing broad conclusions from limited information.

The key takeaway: treat threat actor attribution with skepticism—especially when based on vague overlaps—and focus on concrete, verifiable intelligence.

‍

Source: https://pylos.co/2025/06/11/attribution-with-a-pinch-of-salt-typhoon/?mc_cid=31ce706c30&mc_eid=71dc4a5963