Cisco has disclosed that a Chinese threat actor, identified as Salt Typhoon, successfully infiltrated major U.S. telecommunications companies by exploiting a known vulnerability labeled CVE-2018-0171 and utilizing stolen login credentials. This targeted operation reflects the sophisticated methods employed by adversaries focusing on critical infrastructure.
According to Cisco Talos, the group demonstrated an alarming capability to maintain a foothold in compromised environments across various hardware vendors, in some cases remaining undetected for over three years. The hackers, described as highly sophisticated and well-resourced, exhibit characteristics typical of advanced persistent threat (APT) actors, including extensive planning and coordination.
The prolonged nature of this attack campaign suggests careful orchestration, a hallmark of state-sponsored activity. Cisco has also emphasized that it found no evidence linking the intrusion to other vulnerabilities reported by Recorded Future, which pointed to exploitation attempts involving CVE-2023-20198 and CVE-2023-20273.
Significantly, the initial access by Salt Typhoon was facilitated through the use of valid stolen credentials, although the exact method of acquisition remains unclear. Noteworthy is the actor’s capability to capture and exploit sensitive network traffic, including SNMP, TACACS, and RADIUS communications, suggesting an intent to harvest additional credential details for future attacks.
Among their tactics, Salt Typhoon employed living-off-the-land (LOTL) techniques, leveraging trusted devices as stepping stones to navigate the telecommunications infrastructure. This behavior reflects a strategy to utilize existing network resources to avoid detection while pivoting between targets.
These compromised devices are believed to be used as relay points for reaching primary targets or as gateways for data exfiltration, allowing adversaries to avoid detection for prolonged periods. The tactics employed also included modifying network configurations to create additional local accounts and enable remote SSH access.
Further, a proprietary tool named JumbledPath allows the adversary to capture packets on Cisco devices from a remote jump host. This Go-based utility facilitates the clearing of logs and disables logging mechanisms, thereby obscuring traces of malicious activities and complicating forensic analysis. Regular cleanup of various log files, such as .bash_history and auth.log, further enhances the actors’ attempts to hide their tracks.
Experts note that Salt Typhoon’s strategic manipulation of device interfaces allowed them to tunnel SSH connections through compromised devices while sidestepping established access control measures. Cisco also reported discovering additional targeting of its devices with Smart Install (SMI) vulnerabilities, distinct from the Salt Typhoon incidents, indicating ongoing exploitation efforts by various adversaries.
