Salt Typhoon Targets US Telcos

2025-02-25 Recent Data Breaches 12

Summary

Chinese state-sponsored hackers, Salt Typhoon, exploited Cisco devices with a custom tool, JumbledPath, to spy on US and global telecommunications providers. They leveraged stolen credentials and a Cisco IOS vulnerability to gain access, exfiltrating data and altering network configurations. This attack highlights the persistent threat of state-sponsored espionage in the telecommunications sector.

Why do businesses trust TrueNAS? Flexibility, scalability, and data security.

** Main Story**

Salt Typhoon, a Chinese state-sponsored hacking group also known as RedMike, UNC2286, GhostEmperor, and Earth Estries, recently launched a sophisticated cyber espionage campaign targeting global telecommunications providers, including US telcos. This campaign, active between December 2024 and January 2025, highlights the ongoing threat of state-sponsored cyberattacks against critical infrastructure and the lengths to which adversaries will go to achieve their objectives.

Espionage Through Exploitation

Salt Typhoon primarily targeted unpatched, internet-facing Cisco network devices. While a known Cisco IOS vulnerability (CVE-2018-0171) played a role in at least one intrusion, the group predominantly leveraged stolen credentials for initial access. The attackers focused on acquiring network device configuration credentials, SNMP, TACACS, and RADIUS credentials by capturing network traffic. This allowed them to gain a persistent foothold within the targeted networks, facilitating prolonged espionage activities.

Custom Tools and Tactics

The attackers employed several tools to achieve their goals. Beyond common packet-capturing tools like Tcpdump and Tpacap, Salt Typhoon also utilized a custom tool called JumbledPath. This Go-based malware, designed for x86_64 Linux systems, allowed the hackers to operate on a variety of edge networking devices from different manufacturers, significantly broadening their attack surface. This custom tool showcases Salt Typhoon’s advanced capabilities and resources.

Another key element of Salt Typhoon’s strategy involved exfiltrating device configurations and altering network configurations to enable command execution and the creation of hidden accounts. These actions allowed them to maintain persistent access, manipulate network traffic, and further evade detection. This combination of custom malware, credential theft, and network manipulation demonstrates a high degree of sophistication and planning.

Targeting US and Global Telcos

The impact of Salt Typhoon’s attacks is widespread, affecting telecommunications providers globally. Victims include a US affiliate of a UK telecommunications provider, as well as a telecommunications provider in South Africa. Given the critical role of telecommunications infrastructure in modern society, these attacks pose a significant threat to national security and economic stability. Disrupting or manipulating telecommunications networks can have cascading effects, impacting everything from emergency services to financial transactions.

The Larger Threat Landscape

Salt Typhoon’s activities underscore the escalating threat of state-sponsored cyber espionage. The group’s focus on critical infrastructure, their technical sophistication, and their persistence demonstrate the lengths to which nation-state actors will go to gather intelligence and potentially disrupt operations. This campaign also serves as a reminder of the importance of strong cybersecurity practices, including patching vulnerabilities, implementing robust access controls, and actively monitoring network activity for suspicious behavior. As cyber threats continue to evolve, organizations, particularly those operating critical infrastructure, must remain vigilant and proactive in defending their networks. This attack is a stark reminder that telecommunications companies, particularly those in the US, are attractive targets for state-sponsored hackers and must prioritize cybersecurity measures to protect their networks and customers’ data.

12 Comments

  1. The focus on credential theft is concerning. Were multi-factor authentication methods in place across these organizations, and if so, how were they bypassed? What specific techniques did Salt Typhoon employ to capture network traffic and acquire credentials?

    • That’s a great point regarding multi-factor authentication! The report unfortunately doesn’t detail if MFA was in place or how it may have been bypassed. Digging into the specific techniques used to capture network traffic and steal credentials would definitely provide a more complete picture of Salt Typhoon’s methods and the effectiveness of current security measures.

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  2. “JumbledPath,” huh? Sounds like my attempt to organize my sock drawer. Seriously though, custom tools to broaden the attack surface? Makes you wonder what other *unique* code they’re cooking up in their digital kitchens.

    • That’s a great analogy! The “JumbledPath” tool definitely sounds like it gives them a wider reach. It really does make you wonder what other bespoke tools they have in their arsenal and how they might evolve. It highlights the need for continuous monitoring and threat intelligence!

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  3. “Salt Typhoon,” sounds like a rejected energy drink flavor. But seriously, altering network configurations to create hidden accounts? That’s not just espionage; it’s like redecorating a house while robbing it blind! I wonder if they leave mints on the pillow too?

    • Haha, “redecorating while robbing blind” is a great analogy! The hidden accounts aspect is particularly insidious, imagine the long-term access they could maintain with that level of stealth. Makes you think about the potential for future, delayed actions. Thanks for the insightful comment!

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  4. “Salt Typhoon” makes me picture a villain from a Bond movie. But seriously, they were active between December 2024 and January 2025? Did they invent a time machine alongside “JumbledPath”? Makes you wonder about their project management skills more than their coding abilities.

    • That’s a hilarious point! The timeline does raise eyebrows. Perhaps “JumbledPath” has some hidden temporal functionalities we haven’t discovered yet. Good project management is clearly as important as solid code, even for sophisticated espionage groups!

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  5. “JumbledPath” sounds like the GPS when I’m already late! Custom malware for different edge devices? Were they also offering tech support, or just quietly wreaking havoc? Asking for a friend who may or may not have a *slightly* jumbled network.

    • That’s a funny comparison! Custom malware and tech support… now that’s a value added service! I wonder if they had tiers – ‘Basic Havoc’, ‘Premium Havoc’, or ‘Enterprise-Grade Jumbling’. Jokes aside, this highlights the level of specialization we are seeing.

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

  6. Considering Salt Typhoon’s focus on telecommunications providers in both the US and South Africa, what geopolitical factors might have influenced their targeting decisions, and how does this align with China’s strategic interests in these regions?

    • That’s a fascinating question! The selection of both US and South African telcos definitely points to broader strategic goals. South Africa’s role in submarine cable infrastructure and its relationship with BRICS nations could be key factors aligning with China’s expanding digital influence. Food for thought!

      Editor: StorageTech.News

      Thank you to our Sponsor Esdebe

Comments are closed.