```html ``` Salt Typhoon's Official Advisory Lists 88 Indicators. You Can Block Exactly None of Them.
top of page

Salt Typhoon's Official Advisory Lists 88 Indicators. You Can Block Exactly None of Them.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 1 minute ago
  • 5 min read

We spent the afternoon auditing our own threat coverage — going actor by actor through the groups we track, counting how many hard indicators we actually have attributed to each one. The plan was housekeeping: find the gaps, fill them, move on. Instead we found the floor under the entire indicator-feed industry, and it is not where anybody advertises it.


If you run a SOC and you are in a hurry, here is the short version: the indicators worth having are already live in our free feed, so pull the domains and hashes and go block. This post is about the uncomfortable part — why the actors most likely to actually hurt you are the ones we, and everyone else, have almost nothing on.



The better the actor, the less there is to block


Sort our coverage by how many attributed indicators each actor has, and a line draws itself. At the top, thick with blockable material: Kimsuky at nearly a thousand, MuddyWater in the low hundreds, Handala at 89, Akira maxing out our sample. These are the criminal crews, the ransomware operators, the Iranian and North Korean groups. They have one thing in common. They rent infrastructure — servers, domains, phishing kits — and infrastructure is a thing you can put on a list.


At the bottom, nearly bare: Volt Typhoon with a single hash. JADEPUFFER with two. And Salt Typhoon, the group that spent last year inside American telecom backbones reading call records, with a grand total of zero blockable network indicators in the feed at the start of the day.


That is the pattern, and it is the opposite of the intuition every vendor sells you. You would assume the more advanced the adversary, the more there is to defend against. The data says the reverse. The most sophisticated actors alive leave the least behind, because they are not renting anything. They are living inside your own tools.



The 88 indicators that block nothing


Here is the receipt that made us stop and reread it. Salt Typhoon has an official CISA joint advisory — the document every defender is told to consume and operationalize. We pulled its machine-readable version directly. It contains 88 indicators. Every single one is a behavior — a technique, a tactic, a thing the group tends to do. Not one is an address, a domain, or a hash you can drop into a blocklist. The government published the honest truth for this actor: there is nothing here to block, because the group does not leave that kind of trace.


Volt Typhoon, the crew pre-positioning inside water and power utilities for a bad day, is the same story compressed to a single malware hash. Its entire method is to operate from compromised home and small-office routers using the network's own administrative tools, so there is no fixed command server to name.


And APT41 — the Chinese contractor group Microsoft calls Brass Typhoon — has gone further into the trend than anyone. Its recent campaigns run command-and-control through Google Calendar and Google Drive. The malware reads its orders from a calendar event. You cannot block that without blocking Google. The infrastructure is legitimate on purpose, which is the entire point.



The gap was not what we thought it was


When we went to feed Brass Typhoon, we hit the second surprise. The freshest indicators — a set of Alibaba typosquat domains the group registered over a single January weekend, the kind of thing where ai.qianxing.co sitting next to a fake aliyun domain is the tell — were already in our feed. A third-party source had caught them months ago. They were sitting there the whole time, unattributed, unconnected to the actor, invisible to anyone asking "what do we have on Salt Typhoon's cousin."


So the gap was never that we failed to collect. We had the data. The gap was that nobody had drawn the line between the indicator and the name. That distinction matters more than it sounds, because it means "we have no coverage of this group" and "we collected the evidence and never linked it" look identical from the outside, and only one of them is a real hole. Most of the time it is the second one. The intelligence is in the linkage, not the capture.



For the actors that matter, the hash is the only thing that lasts


The last insight is the practical one, and it changes what you should actually do. For these top-tier groups, network infrastructure is worthless as a durable indicator. The typosquat domains get burned within weeks. The free-hosting and tunnel services rotate daily. The cloud IPs get reassigned to some innocent tenant a month later — which is exactly why we deliberately left Brass Typhoon's shared Alibaba cloud address out of the auto-block list and marked it context-only. Block that and you eventually knock over a stranger's website, not a Chinese intelligence operation.


The one indicator that never rots is the file hash. A malware sample is that sample forever. So the durable defense against the sophisticated tier lives where a blocklist cannot go: hash-matching on the files, and more than that, watching for the behaviors that 88-indicator advisory actually describes. The feed still matters enormously, because the commodity and criminal tier that generates the overwhelming majority of what hits your edge is exactly the tier that rents blockable infrastructure. The blocklist crushes the volume. It just cannot see the apex.



Why there is no indicator table at the bottom of this post


Every other write-up in this genre ends with a tidy appendix — forty hashes and a dozen IPs in a table you are apparently supposed to retype into your defenses by hand. It exists to look actionable. Nobody has ever blocked an attack by copying a table out of a PDF.


We do not do that, and the reason we can skip it is the whole point. The indicators from today — the durable APT41 hashes, the January typosquat domains, the material from the other groups we fed — are already live in the feed your firewall can pull on a schedule. You do not retype our homework. That is the difference between a report and a defense.


And the actors this post is really about would not fit in that table anyway. That is the honest shape of the problem — a failure of nobody's coverage in particular — and we would rather name it than pretend a blocklist is a plan against a group that lives in your calendar.


We cap our certainty at 95 percent, as always. The missing five points here are generous: the sophisticated-actor tradecraft moves faster than any feed, and the whole lesson of the afternoon is that the map has edges the tool cannot reach. Knowing where those edges are is worth more than the indicators we fed today. You cannot defend a border you cannot see.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page