Full Report
The names of two partial owners of firms linked to the Salt Typhoon hacker group also appeared in records for a Cisco training program—years before the group targeted Cisco’s devices in a spy campaign.
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
- **Attribution:** Chinese state-sponsored hacker group, as tracked by security researchers (SentinelOne, Atlantic Council) and US government agencies (CISA, FBI, NSA).
- **Known Aliases and Associated Groups:** Primarily referred to as "Salt Typhoon." Directly linked to contract firms: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology.
- **Key Personnel Identified:** Qiu Daibing (partial owner of Beijing Huanyu Tianqiong) and Yu Yang (partial owner of Beijing Huanyu Tianqiong and Sichuan Zhixin Ruijie) are named individuals linked to Salt Typhoon front companies who appear to have previously participated in Cisco training programs.
## Activity Summary
- **Known Campaigns:** Gained notoriety for a sophisticated cyberespionage campaign against at least nine telecom companies.
- **Most Recent/Significant Activity:** Exploiting vulnerabilities in network devices, specifically those sold by Cisco, to obtain user credentials and move stealthily through IT networks to spy on communications. Targeted individuals included then-presidential and vice presidential candidates Donald Trump and JD Vance, among others.
## Tactics, Techniques & Procedures
- Gaining access via device exploitation rather than traditional malware implantation, allowing for stealthy network traversal.
- Exploiting vulnerabilities in **Cisco devices** (routers/networking equipment).
- Focus on **intelligence collection** (spying on real-time calls and texts).
- Sophisticated ability to move through IT networks without using detectable malware payloads.
## Targeting
- **Sectors:** Telecommunications industry (nationwide telecom companies).
- **Geography:** Targeting US entities, as evidenced by the surveillance of US political figures and telecom providers.
- **Victims:** At least nine telecom companies; specific high-profile targets included then-presidential and vice presidential candidates Donald Trump and JD Vance.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly mentioned in the context of this summary, as the focus is on stealthy access rather than established malware use.
- **Infrastructure (C2, domains, IPs):** Not specified in the provided text.
## Implications
- **Supply Chain Risk Insight:** Links have been drawn suggesting key operational personnel of the group may have received foundational IT and potentially security training through corporate-sponsored programs (Cisco Networking Academy) years prior to targeting the sponsoring company's hardware.
- **Sophistication:** Demonstrated capability for extensive, high-value intelligence collection on US communications infrastructure and political figures through technical exploitation of network hardware.
## Mitigations
- **Vendor Awareness:** Security assessments should be enhanced for devices susceptible to vulnerabilities exploited by this group (e.g., Cisco network devices).
- **Access Control:** Focus on robust credential management and network segmentation to prevent lateral movement even after an initial device compromise (as the actor moves stealthily post-compromise).