Title: Salt Typhoon Targets Cisco Devices in Global Cyber Campaign
In a significant cybersecurity incident, the advanced persistent threat (APT) group known as Salt Typhoon has compromised over a thousand Cisco devices across a network of telecommunications companies, internet service providers (ISPs), and academic institutions. This widespread attack poses serious risks to sensitive data and highlights vulnerabilities within critical infrastructure sectors.
Salt Typhoon, which is also referred to by aliases such as RedMike, FamousSparrow, and GhostEmperor, rose to prominence in the cybersecurity landscape last fall with reports of attacks on major U.S. telecom providers including T-Mobile, AT&T, and Verizon. The group notably managed to intercept U.S. law enforcement wiretaps and engage in espionage against political campaigns, targeting both Democratic and Republican entities.
Recent intelligence from Recorded Future’s Insikt Group indicates that Salt Typhoon, tracked as "RedMike," continues to exploit antiquated vulnerabilities in Cisco systems, affecting communications providers and research institutions globally. During December and January alone, the group launched six attacks, demonstrating a sophisticated understanding of Cisco’s network devices and ongoing exploitation of existing flaws.
In a statement, Cisco acknowledged awareness of threats posed by Salt Typhoon, particularly concerning two identified vulnerabilities in its IOS XE operating system. The company emphasized the importance of promptly applying security patches which it had previously issued to mitigate these risks. These vulnerabilities, if exploited, could allow attackers elevated access and the capacity to create unauthorized local accounts.
Notably, recent exploit attempts have indicated that Salt Typhoon is not deterred by heightened media scrutiny or prior disclosures about their tactics. The group has leveraged vulnerabilities with critical Common Vulnerability Scoring System (CVSS) scores, such as CVE-2023-20198 and CVE-2023-20273, which enable them to execute commands and establish GRE tunnels for persistent access and data extraction, complicating detection by defensive systems.
The breadth of Salt Typhoon’s recent campaign includes significant organizations and institutions across six continents, illustrating a pattern of sophisticated attacks on telecommunications infrastructure. The complexity of these systems often leads to the retention of outdated technologies, making them susceptible to intrusions that exploit long-known vulnerabilities.
Salt Typhoon’s assault has not been limited to telecom providers; it has also targeted numerous universities, affecting institutions in the U.S., Argentina, Indonesia, and the Netherlands. Notably, some affected academic centers are engaged in pivotal research in telecommunications and engineering, indicating a strategic focus on gaining access to sensitive intellectual property and data.
While the ongoing situation has impacted over 100 countries, over half of the compromised devices are located in the U.S., South America, and India. This geographic concentration underscores the group’s expansive capabilities and targets.
Cyber intelligence experts like Jon Condra from Recorded Future note that while much of the discourse surrounding Salt Typhoon has circled back to American entities, the group’s operational scope is undeniably global. The implications for business leaders are profound, as the evolving threat landscape necessitates rigorous attention to defense mechanisms against advanced cyber threats tied to state-sponsored actors.
Using the MITRE ATT&CK framework, it is clear that tactics such as initial access, persistence, privilege escalation, and command-and-control have been employed in these attacks. Businesses must prioritize vulnerability management and incident response protocols to mitigate potential risks posed by such persistent threats.
Organizations engaged in protecting critical infrastructure must remain vigilant. Salt Typhoon’s ongoing cyber operations exemplify the need for robust security strategies that adapt to the capabilities of advanced adversaries.
