“While helping the affected entity remediate the compromise, we made the unexpected discovery in the victim’s network,” the researchers said. “This campaign is also the first documented time FamousSparrow used ShadowPad, a privately sold backdoor, known to only be supplied to China-aligned threat actors.”
The campaign extended to a breach of a research institute in Mexico, two days prior to the US compromise. When researchers fed the techniques and IoCs into a tracking system, it revealed additional activities, one of which was an attack on a government institute in Honduras. ESET is still investigating the others.
While ESET attributes the July campaign to the entity it tracks as FamousSparrow with high confidence, the firm has reservations about identifying it as Microsoft’s Salt Typhoon. “There are a few overlaps between the two but many discrepancies,” it said. “Based on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct cluster with loose links to (Salt Typhoon),” While Microsoft claims Salt Typhoon is the same as FamousSparrow and GhostEmperor, the threat intelligence leader has yet to attribute any such activities as discovered by ESET researchers.