In the fall of last year, the Chinese hacking group known as Salt Typhoon gained significant attention when it was uncovered that they had successfully infiltrated major U.S. telecommunications companies, breaching at least nine carriers and accessing Americans’ calls and texts in real time. Despite this alarming exposure, the group has not slowed its operations; they have continued to compromise telecom networks on a global scale, including multiple incidents within the United States.
Recent findings from cybersecurity firm Recorded Future, presented in a report, highlight that Salt Typhoon has breached multiple telecommunications and internet service providers around the world, alongside more than a dozen universities spanning from Utah to Vietnam between December and January. Among the impacted entities are at least one U.S.-based internet service provider and another subsidiary linked to a UK telecom; however, Recorded Future has opted not to disclose the specific names of these victims.
Levi Gundert, leading the research team at Recorded Future’s Insikt Group, described the group as “super active” and criticized the general lack of awareness about their aggressive tactics, which he likened to turning communications networks into “Swiss cheese.” This ongoing campaign underscores a growing concern regarding the security of telecommunication infrastructures.
Salt Typhoon, also tracked by Recorded Future under the name RedMike, has been targeting the exposed web interfaces of Cisco’s IOS software, a fundamental component of the networking giant’s routers and switches. The hackers have exploited two key vulnerabilities within this software: one allows for initial access, while the other grants root privileges, effectively providing the attackers with comprehensive control over these critical devices within a victim’s network.
Researchers have discovered over 12,000 Cisco devices with exposed web interfaces online, with Salt Typhoon reportedly targeting more than a thousand of those devices across various networks worldwide. They appear to have honed in on a select group of telecommunication and university networks, successfully compromising Cisco devices within those systems. Once infiltrated, the group configured the hacked devices to establish connections to their command-and-control servers using generic routing encapsulation (GRE) tunnels, enabling persistent access and data exfiltration.
In response to inquiries from the press, Cisco pointed to a security advisory addressing vulnerabilities in its IOS software’s web interface, urging customers to implement recommended updates. This highlights the critical importance of regular patch management, as hackers often exploit known vulnerabilities in network appliances where traditional security controls may not be as robust.
The methodology employed by Salt Typhoon aligns with the growing trend among advanced persistent threat groups, particularly those from China, which routinely target network appliances as a means of entry. This trend has persisted for at least five years, reflecting a strategic focus when it comes to exploiting weaknesses in infrastructure that typically lack the security measures found in more traditional computing environments.
In analyzing the tactics and techniques employed by Salt Typhoon through the lens of the MITRE ATT&CK framework, strategies such as initial access, persistence through compromised network devices, and privilege escalation are evident. These methodologies underscore the evolving landscape of cyber threats and the necessity for business owners to remain vigilant in their cybersecurity practices, particularly in safeguarding critical infrastructure against sophisticated attacks.
