A recent report from Recorded Future’s Insikt Group revealed that Chinese state-sponsored threat group Salt Typhoon, also known as “RedMike,” targeted more than 1,000 Cisco devices globally, with a particular focus on telecom companies. The group exploited unpatched vulnerabilities in Cisco network devices, such as CVE-2023-20198 and CVE-2023-20273, to gain access and maintain persistence on compromised systems.
The campaign, which took place between December and January, impacted five telecom companies, including a U.S. telecom provider and an internet service provider, as well as a U.S.-based affiliate of a U.K. telecom provider. Salt Typhoon targeted vulnerable devices with known vulnerabilities in Cisco IOS XE software, reconfiguring them to establish GRE tunnels for persistent access.
Cisco had disclosed the vulnerabilities that Salt Typhoon exploited as zero-day vulnerabilities in October 2023 and issued patches to address the issues. Despite these efforts, threat actors were able to compromise thousands of exposed Cisco devices by exploiting the flaws. Cisco urged customers to follow its security advisory and upgrade to the available fixed software release to mitigate the risk of exploitation.
In addition to telecom companies, Salt Typhoon targeted devices in universities across various countries, including the U.S., Argentina, Malaysia, and India. The group’s reconnaissance activities also included IP addresses owned by Myanmar-based telecom provider Mytel. Recorded Future identified more than 12,000 Cisco network devices with exposed web UIs, highlighting the widespread nature of the attack campaign.
According to Jon Condra, senior director of strategic intelligence at Recorded Future, the team uncovered the campaign after receiving a tip from a partner and leveraging Recorded Future’s Network Intelligence capabilities. While the report identified five compromised organizations, it is possible that more organizations were impacted by Salt Typhoon’s activities, as the threat actors conducted active vulnerability scans to identify potential targets with vulnerable web UIs associated with telecommunications companies.
Condra emphasized that the threat actors likely compiled a list of potentially vulnerable devices and selectively targeted those associated with telecommunications providers. While the report confirmed successful exploitation and subsequent activity from the identified organizations, there may be additional compromised routers that have not yet been detected or acted upon by the threat actors.
Overall, the Salt Typhoon campaign underscores the ongoing threat posed by state-sponsored threat actors targeting critical infrastructure and organizations worldwide. It serves as a reminder for organizations to promptly apply security patches, maintain robust cybersecurity measures, and remain vigilant against advanced threat actors seeking to exploit vulnerabilities for malicious purposes.