Salt Typhoon, a notorious threat actor known for its advanced cyber capabilities, has come under scrutiny after being linked to a series of cyberattacks targeting major U.S. telecommunications networks. The revelations, outlined in a recent report by Cisco Talos and corroborated by the U.S. government, shed light on the group’s sophisticated tactics and the widespread implications of their actions.
The campaign, which began in late 2024, revolves around exploiting vulnerabilities in Cisco devices and leveraging stolen credentials to gain unauthorized access to critical infrastructure. This brazen approach has raised concerns among cybersecurity experts and government officials, who are working tirelessly to contain the threat and prevent further damage.
One of the key aspects of Salt Typhoon’s operations is their adept exploitation of both known vulnerabilities and legitimate credentials to infiltrate core networking systems. While the group predominantly relies on stolen login credentials, they have also been known to exploit specific vulnerabilities such as CVE-2018-0171, a flaw in Cisco’s Smart Install feature that enables remote code execution. Additionally, there are unverified reports suggesting attempts to exploit other vulnerabilities like CVE-2023-20198, CVE-2023-20273, and CVE-2024-20399.
Despite these exploits, there have been no new vulnerabilities discovered during the investigation. However, Cisco Talos has underscored the critical importance of patching systems and following best practices to minimize the risks associated with these known vulnerabilities.
Salt Typhoon’s operational model is marked by its use of advanced persistence techniques, allowing them to maintain access to compromised networks for extended periods, in some cases up to three years. The group employs “living-off-the-land” tactics, leveraging built-in network tools to avoid detection and carry out their malicious activities discreetly.
Some of the key activities employed by Salt Typhoon include credential harvesting, configuration exfiltration, infrastructure pivoting, and configuration modifications. These actions are facilitated by custom-built tools like “JumbledPath,” a utility designed for remote packet capture while masking their activities through multi-hop connections.
To evade detection, Salt Typhoon routinely clears logs and restores device configurations to their original state post-attack. They also modify authentication servers and utilize high-port SSH servers for persistent access. Cisco Talos recommends robust monitoring of syslogs, AAA logs, and network behavior to detect unusual activities, along with implementing comprehensive configuration management, enabling multi-factor authentication, and disabling unnecessary services like Smart Install.
While the telecommunications sector has been the primary target of this campaign, Cisco Talos warns that the techniques employed by Salt Typhoon could be adapted for use across various industries. The prolonged timeline of these attacks underscores the critical need for increased vigilance against advanced persistent threats capable of infiltrating critical infrastructure.
As the investigation into Salt Typhoon’s activities continues, it is essential for organizations to adopt proactive cybersecurity measures, including regular updates, strong credential management, and network segmentation. These measures are crucial in safeguarding against sophisticated cyber threats and ensuring the resilience of critical infrastructure in the face of evolving risks.
In conclusion, the emergence of Salt Typhoon as a formidable threat actor highlights the evolving landscape of cybersecurity threats and the urgent need for collaborative efforts to combat malicious activities that pose a significant risk to national security and critical infrastructure.