Table of content
  1. Who is APT41 (Barium / Salt Typhoon)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against APT41 (Barium / Salt Typhoon) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

APT41 (Barium / Salt Typhoon) Targets Telecom Providers via Kernel‑Level Backdoor Espionage Campaign

APT41 (Barium / Salt Typhoon), an advanced persistent threat group, has been linked to a recent cyberattack on telecom providers, healthcare, retail, gaming, and government sectors. The incident leveraged spear phishing, supply chain compromise, custom malware/backdoors, and kernel-level implants to gain access, steal data, and evade detection. In this article, we examine who was responsible, how the attack unfolded, when it occurred, and what security leaders can do to avoid similar risks. We will also explore where Obsidian Security’s capabilities align with prevention and response.
Sophie Zhu
January 17, 2025
Table of content
  1. Who is APT41 (Barium / Salt Typhoon)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against APT41 (Barium / Salt Typhoon) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

Who is APT41 (Barium / Salt Typhoon)?

APT41 (also called Barium or Salt Typhoon) is a prolific Chinese state‑linked threat actor known for combining espionage and financially motivated operations. Operational since around 2014, they’ve executed high-profile supply chain compromises against software vendors and service providers, as well as ransomware and fraud campaigns targeting gaming, telecom, government, healthcare, and enterprise sectors globally. Notably, in 2025 they developed novel malware like TOUGHPROGRESS, VOLDEMORT, DUSTTRAP, and used tools such as Google Calendar for stealthy C2 communications. Their hybrid playbook makes them one of the most strategically advanced and profitable APT groups.

What Happened?

From 2024-2025, Microsoft and ESET tracked Salt Typhoon---a Chinese state-backed advanced persistent threat group (also known as APT41/Barium). They found Salt Typhoon infiltrating major US Internet service providers and telecom networks. The campaign targeted the core of national telecommunications infrastructure, extracting sensitive call metadata, communications, and conducting counterintelligence on a wide scale.

How Did The Attack Work?

Salt Typhoon’s intrusion relied on a mix of exploiting N-day vulnerabilities in firewalls, VPNs, and routers, deploying a kernel-level rootkit known as "Demodex," and implanting backdoors throughout the core network environment. The attackers leveraged vulnerable devices, such as Cisco routers and AAA servers, to maintain persistent access, intercept wiretap communications, and exfiltrate call recordings, metadata, and credentials. Data was siphoned via covert channels—including encrypted packet captures and unencrypted transfer protocols—while the adversaries manipulated configuration files and authentication systems to evade detection for months or even years

Why It Matters

The Salt Typhoon breaches demonstrate an escalation from targeting enterprise IT to compromising national telecom infrastructure, risking the confidentiality of legal, governmental, and personal communications. The attacks reveal a new frontier of espionage where traditional tools like endpoint protection or network monitoring are inadequate; defense now requires advanced, kernel-level detection capabilities, rigorous supply chain validation, and integrity checks of firmware and hardware supporting critical infrastructure

How to Defend Against APT41 (Barium / Salt Typhoon) - Style Attacks

To defend against threats similar to those used by APT41 (Barium), security leaders should adopt the following multi-layered security practices:

  • Security Awareness & Phishing Simulations
    Train users to detect and report phishing attempts using realistic simulations. Reinforce awareness of social engineering tactics.
  • MFA Hardening (e.g., Phishing-Resistant Auth)
    Enforce phishing-resistant MFA (e.g., FIDO2, certificate-based auth). Detect and respond to MFA fatigue attacks or session hijacking attempts.
  • Endpoint Detection & Response (EDR)
    Deploy modern EDR solutions across workstations and cloud endpoints. Detect credential theft, persistence mechanisms, and lateral movement.
  • SaaS Misconfiguration Monitoring
    Continuously monitor for configuration drift and excessive privileges in SaaS apps (e.g., M365, Salesforce, Okta). Lock down unused integrations and enforce least privilege.
  • Email Gateway & Attachment Filtering
    Filter malicious attachments and links at the email gateway. Combine with in-app behavioral detection to spot post-delivery threats.
  • Threat Hunting or Behavioral Detection
    Proactively hunt for identity anomalies and unusual access patterns (e.g., impossible travel, session token reuse, OAuth abuse) across your SaaS estate.

Obsidian Security’s platform can help detect these signals, automate posture hardening, and accelerate incident response across identity and SaaS environments.

Where Obsidian Security Can Help

Obsidian's SaaS Identity Threat Detection & Response (ITDR) helps detect post-phishing account misuse, token reuse, and impossible travel anomalies across SaaS environments. With OAuth App Risk Visibility, Obsidian surfaces risky third-party SaaS integrations that adversaries may use to maintain persistence or exfiltrate data. Explore OAuth Abuse Protection

Conclusion

APT41 (Barium / Salt Typhoon)’s recent campaign underscores the need for layered security and SaaS-native threat detection. Organizations should combine user education, identity threat protection, and SaaS configuration hardening to minimize risk. Obsidian’s continuous monitoring and context-aware alerts help defenders identify and respond to threats before damage is done.