Salt Typhoon: Inside the Cyber Espionage Campaign Targeting U.S. Telecom Networks

Discover how Salt Typhoon has compromised U.S. telecom networks, exposing vulnerabilities and threatening national security. Learn about the urgent need for robust cybersecurity measures.

The Federal Communications Commission (FCC) announced that the Chinese state-sponsored hacking group Salt Typhoon has launched a sophisticated cyber espionage campaign against the U.S.  telecommunications providers, compromising sensitive systems and exposing critical vulnerabilities. The group, active since at least 2019, has targeted major telecom companies like AT&T, Verizon, and T-Mobile, gaining access to private and classified communications. 

Recent cybersecurity analyses indicate that Salt Typhoon’s activities have compromised communications systems across multiple countries, including the U.S., South Africa, Thailand, and Italy. The group is said to have recorded conversations of senior U.S. officials and obtained metadata from legal wiretaps.

In response to the attack, the FCC proposed new cybersecurity regulations for telecom providers:

  • Mandatory risk management plans with annual compliance certifications.
  • Expanded cybersecurity requirements across all communications providers.

These measures aim to strengthen national security by addressing systemic vulnerabilities exposed by the Salt Typhoon.

Who is Salt Typhoon?

Salt Typhoon, also known by aliases such as Earth Estries, GhostEmperor, and UNC2286, is an Advanced Persistent Threat (APT) group. Their primary focus is cyber espionage and data exfiltration targeting telecommunications, government entities, and critical infrastructure globally. The group employs advanced tactics to infiltrate networks and maintain long-term access.

Salt Typhoon’s campaigns aim to:

  • Steal sensitive data from telecom providers.
  • Monitor private communications of high-value individuals.
  • Access metadata related to law enforcement wiretapping.
  • Exploit vulnerabilities in network infrastructure for persistent access.

How did Salt Typhoon infiltrate telecom networks?

Telecom networks are critical infrastructure that facilitates global communication. Because they transmit sensitive data, they are attractive targets for espionage. Public networks often prioritize accessibility over security, making them vulnerable to sophisticated attacks like those from Salt Typhoon.

Salt Typhoon employed a combination of stolen credentials and known vulnerabilities in Cisco networking devices to compromise telecom networks.

The group leveraged the vulnerabilities:

  • CVE-2018-0171: An older flaw in Cisco’s Smart Install feature.
  • CVE-2023-20198 & CVE-2023-20273: Privilege escalation vulnerabilities in Cisco IOS XE software that allowed attackers to gain root access and establish persistent connections using Generic Routing Encapsulation (GRE) tunnels.

Despite system patches being available for these vulnerabilities, many devices remained unpatched, leaving them susceptible to exploitation.

Tactics, techniques, and procedures (TTPs)

Salt Typhoon demonstrated advanced techniques to evade detection:

Credential Theft: The group intercepted authentication traffic, such as SNMP and TACACS protocols, which manage login credentials and permissions, to extract sensitive information and move laterally within networks.

Custom Malware—JumbledPath: This Go-based malware enables packet capture, intercepting data packets (small data units) traveling over a network on compromised devices. It also uses jump hosts to disguise the attacker’s true location.

Defense Evasion: Salt Typhoon employed DLL (Dynamic Link Libraries) sideloading, tricking legitimate applications into loading malicious files. It also disabled system logs to erase evidence of its activity, making forensic analysis nearly impossible.

Network Configuration Manipulation: The group altered access control lists (ACLs), which are rules that determine who can access specific network resources. They also created hidden accounts and enabled Guest Shell access, a secure Linux-based environment on Cisco devices, to execute remote commands with root-level privileges.

Proactive cybersecurity

Salt Typhoon’s campaign starkly reminds us of the importance of proactive cybersecurity measures in defending against cyber espionage and threats. Organizations must prioritize patching known vulnerabilities, securing credentials, and monitoring network activity to mitigate risks.

Don’t wait until your organization becomes a target. Contact Proven Data today for a customized Incident Response Retainer (IRR) plan that ensures rapid response and robust protection against advanced threats like Salt Typhoon.

  • 24/7 response
  • Certified forensic experts 
  • Preservation of digital evidence for potential legal proceedings
  • Tailored strategies enhance your organization’s security posture 
  • Compliance with regulations

What do you think?

Read more

Related Articles

Contact us

Leading experts on stand-by 24/7/365

If you suspect data loss or network breach, or are looking for ways to compile digital evidence through forensics and eDiscovery services – our team can help.

What we offer:

What happens next?

1

 Our expert advisor will contact you to schedule your free consultation.

2

You’ll receive a customized proposal or quote for approval.

3

Our specialized team immediately jumps into action, as time is critical.

Request a Free Consultation