Salt Typhoon, a Chinese advanced persistent threat (APT) group, has once again made headlines with its recent targeting of over a thousand Cisco devices across various organizations. The group, also known as RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, gained notoriety last fall for its high-profile attacks on major US telecommunications providers like T-Mobile, AT&T, and Verizon. These attacks allowed the threat group to eavesdrop on US law enforcement wiretaps and infiltrate presidential campaigns.
Despite the media attention surrounding its activities, Salt Typhoon continued to carry out cyber operations, this time focusing on telecommunications companies, ISPs, and universities worldwide. Recorded Future’s Insikt Group reported that the group exploited old vulnerabilities in Cisco network devices to breach its targets, with incidents reported in December and January. This pattern of exploiting Cisco vulnerabilities is not new for Salt Typhoon, as the threat actor has a history of targeting major telcos using similar tactics.
In response to these attacks, Cisco issued a statement acknowledging the reports of Salt Typhoon exploiting vulnerabilities in IOS XE devices. The company advised customers to apply available patches and follow best practices for securing their networks. Cisco’s warnings about these vulnerabilities were unfortunately not heeded by many organizations, leading to widespread compromises across six continents. By leveraging these vulnerabilities, Salt Typhoon was able to establish persistent connections and exfiltrate data using GRE tunnels, minimizing the risk of detection.
The victims of Salt Typhoon’s latest cyberattacks include a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel from Myanmar. Additionally, the threat group targeted several universities, including prestigious institutions like UCLA and other research-focused establishments around the world. These cyberattacks highlight the complexities of securing telecommunications systems, which often consist of a mix of legacy and modern technologies, making them vulnerable to sophisticated threats.
While the previous coverage of Salt Typhoon has primarily focused on its activities in the US, cybersecurity experts warn that the threat group’s reach extends far beyond national borders. The strategic intelligence requirements of the Chinese government drive Salt Typhoon to gain access to sensitive networks globally, enabling espionage, data manipulation, and potential disruptive actions in the event of geopolitical tensions or conflicts.
Overall, Salt Typhoon’s recent attacks on Cisco devices underscore the ongoing cybersecurity challenges faced by organizations worldwide. As threat actors continue to evolve their tactics and exploit vulnerabilities, it is crucial for businesses and institutions to prioritize security measures and stay vigilant against emerging cyber threats.