In a coordinated international effort, a coalition of cybersecurity agencies from the United States (including the NSA, CISA, and the FBI) and allied nations such as Australia, Canada, and the United Kingdom has issued a stark warning about a sophisticated cyber espionage campaign.
In the U.S., the Federal Communications Commission (FCC) amplified this alert, announcing that the Chinese state-sponsored hacking group Salt Typhoon has launched attacks against not only U.S. telecommunications providers but also a wide range of critical infrastructure sectors, including government, energy, and transportation systems. The group, active since at least 2019, has targeted major telecom companies like AT&T, Verizon, and T-Mobile, gaining access to private and classified communications.
Recent cybersecurity analyses indicate that Salt Typhoon’s activities have compromised communications systems across multiple countries, including the U.S., South Africa, Thailand, and Italy. The group is said to have recorded conversations of senior U.S. officials and obtained metadata from legal wiretaps.
In response to the attack, the FCC proposed new cybersecurity regulations for telecom providers:
- Mandatory risk management plans with annual compliance certifications.
- Expanded cybersecurity requirements across all communications providers.
These measures aim to strengthen national security by addressing systemic vulnerabilities exposed by the Salt Typhoon.
Who is Salt Typhoon?
Salt Typhoon, also known by aliases such as Earth Estries, GhostEmperor, OPERATOR PANDA, RedMike, and UNC2286, is an Advanced Persistent Threat (APT) group. Their primary focus is cyber espionage and data exfiltration targeting telecommunications, government entities, and critical infrastructure globally. The group employs advanced tactics to infiltrate networks and maintain long-term access.
The joint international advisory has directly linked Salt Typhoon’s activities to specific China-based technology companies believed to be supporting the cyber operations of China’s Ministry of State Security and People’s Liberation Army. These entities include Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.
Salt Typhoon’s campaigns aim to:
- Steal sensitive data from telecom providers.
- Monitor private communications of high-value individuals.
- Access metadata related to law enforcement wiretapping.
- Exploit vulnerabilities in network infrastructure for persistent access.
- Pre-position itself within networks for potential future disruptive or destructive attacks during a major crisis or conflict.
How did Salt Typhoon infiltrate telecom networks?
Telecom networks are a critical infrastructure that facilitates global communication. Because they transmit sensitive data, they are attractive targets for espionage. Public networks often prioritize accessibility over security, making them vulnerable to sophisticated attacks like those from Salt Typhoon.
Salt Typhoon employed a combination of stolen credentials and known vulnerabilities in Cisco networking devices to compromise telecom networks. The group has shown a particular focus on backbone network, provider edge (PE), and customer edge (CE) routers. To mask its operations, the group often funnels its traffic through a network of compromised Small Office/Home Office (SOHO) routers and other networking devices.
The group leveraged the vulnerabilities:
- CVE-2018-0171: An older flaw in Cisco’s Smart Install feature.
- CVE-2023-20198 & CVE-2023-20273: Privilege escalation vulnerabilities in Cisco IOS XE software that allowed attackers to gain root access and establish persistent connections using Generic Routing Encapsulation (GRE) tunnels.
Despite system patches being available for these vulnerabilities, many devices remained unpatched, leaving them susceptible to exploitation.
Tactics, techniques, and procedures (TTPs)
Salt Typhoon demonstrated advanced techniques to evade detection:
- Living off the Land (LOTL) Evasion: To blend in with normal network activity and avoid detection, the group heavily relies on using built-in network administration tools, such as PowerShell, wmic, and netsh—to carry out its objectives. This makes distinguishing malicious activity from legitimate administrative tasks extremely difficult.
- Credential Theft: The group intercepted authentication traffic, such as SNMP and TACACS protocols, which manage login credentials and permissions, to extract sensitive information and move laterally within networks.
- Custom Malware (JumbledPath): This Go-based malware enables packet capture, intercepting data packets (small data units) traveling over a network on compromised devices. It also uses jump hosts to disguise the attacker’s true location.
- Defense Evasion: Salt Typhoon employed DLL (Dynamic Link Libraries) sideloading, tricking legitimate applications into loading malicious files. It also disabled system logs to erase evidence of its activity, making forensic analysis nearly impossible.
- Network Configuration Manipulation: The group altered access control lists (ACLs), which are rules that determine who can access specific network resources. They also created hidden accounts and enabled Guest Shell access, a secure Linux-based environment on Cisco devices, to execute remote commands with root-level privileges.
Proactive cybersecurity
Salt Typhoon’s campaign starkly reminds us of the importance of proactive cybersecurity measures in defending against cyber espionage and threats. Organizations must prioritize patching known vulnerabilities, securing credentials, and monitoring network activity to mitigate risks. The joint government advisories provide detailed, actionable guidance for threat hunting and specific mitigation strategies that network defenders should implement.
Don’t wait until your organization becomes a target. Contact Proven Data today for a customized Incident Response Retainer (IRR) plan that ensures rapid response and robust protection against advanced threats like Salt Typhoon.
- 24/7 response
- Certified forensic expertsÂ
- Preservation of digital evidence for potential legal proceedings
- Tailored strategies enhance your organization’s security postureÂ
- Compliance with regulations
