Full Report
Threat intelligence firm Recorded Future said it had observed Salt Typhoon breaching 5 telcos between December 2024 and January 2025. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
**Attribution:** Chinese government-linked hacking group.
**Known Aliases and Associated Groups:** Tracked by Recorded Future as "RedMike". Subject to recent sanctions imposed by the U.S. government.
## Activity Summary
Salt Typhoon has continued to compromise telecommunications providers despite recent U.S. sanctions.
They are known for infiltrating major U.S. phone and internet giants (including AT&T and Verizon) to gain access to private communications of senior U.S. government officials and political figures. They have also targeted systems used by law enforcement agencies for court-authorized metadata collection, potentially exposing data on U.S. surveillance targets in China.
**Recent Campaigns (Dec 2024 - Jan 2025):**
Observed breaching five telecommunications firms globally. The group also performed reconnaissance on infrastructure assets belonging to the Myanmar-based telecommunications provider, Mytel.
## Tactics, Techniques & Procedures
- **Exploitation of Public-Facing Software:** Exploited two specific vulnerabilities (CVE-20232-0198 and CVE-2023-20273) to compromise unpatched Cisco devices running Cisco IOS XE software.
- **Reconnaissance:** Conducted covert information gathering on infrastructure assets.
- **Lateral Movement/Data Access:** Gaining access to networks of telecom providers to potentially gather communications data.
- **Observed attempts:** Attempted to compromise over 1,000 Cisco devices.
## Targeting
- **Sectors:** Telecommunications providers (phone and internet giants).
- **Geography:** U.S., U.K. (via affiliate), Italy, South Africa, Thailand. Myanmar (reconnaissance).
- **Victims:** AT&T, Verizon (previously named targets). Recent victims include an unnamed U.S.-based affiliate of a prominent U.K. provider, a U.S. Internet Service Provider, and providers in Italy, South Africa, and Thailand.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, but the description focuses on exploitation methods.
- **Infrastructure (C2, domains, IPs):** Not specified in the provided text, other than targeting Cisco devices.
## Implications
Salt Typhoon remains a persistent and sophisticated threat, actively continuing operations despite international sanctions, indicating strong state backing. Their focus on telecommunication providers suggests an ongoing objective to conduct large-scale espionage against government and political figures globally, using critical infrastructure as an intermediary access point.
## Mitigations
- Immediately patch all Cisco devices running Cisco IOS XE software to address vulnerabilities CVE-20232-0198 and CVE-2023-20273.
- Enhance monitoring and defense around critical network infrastructure, especially telecommunications providers.
- Ensure robust security posture to prevent successful exploitation of public-facing services used for initial access.