Full Report
Despite high-profile attention and even US sanctions, the group hasn’t stopped or even slowed its operation, including the breach of two more US telecoms.
Analysis Summary
# Threat Actor: Salt Typhoon (RedMike)
## Attribution & Identity
- **Attribution:** Chinese hacker group, allegedly linked to Sichuan Juxinhe Network Technology (which has been sanctioned by the US Treasury).
- **Known Aliases:** Tracked by Recorded Future as **RedMike**.
## Activity Summary
- Salt Typhoon is highly active in a continuing spree of global intrusions, showing no cessation or slowdown despite high-profile exposure and sanctions.
- Following a major campaign last fall that deeply penetrated at least nine major US telecommunications companies, the group continued targeting the sector.
- Between December and January, they breached five telecoms and internet service providers (ISPs) globally, including one US ISP/telecom firm and a US-based subsidiary of a UK telecom.
- During the same period, they breached more than a dozen universities worldwide.
- The group's activities are described as aggressive, viewing telecommunication networks as soft targets ("Swiss cheese").
## Tactics, Techniques & Procedures
- **Initial Access/Exploitation:** Targeting internet-exposed web interfaces of **Cisco IOS software** running on routers and switches.
- **Vulnerability Exploitation:** Exploiting at least two different vulnerabilities in the Cisco IOS web interface code: one for initial access and one to gain root privileges, achieving full control of the networking device.
- **Persistence/C2:** Configuring hacked Cisco devices to establish **Generic Routing Encapsulation (GRE) tunnels** to connect to the hackers' command-and-control servers to maintain access and exfiltrate data.
- **General TTP:** Hacking network appliances by exploiting known vulnerabilities that device owners have failed to patch—a method used by sophisticated Chinese espionage teams for at least five years.
## Targeting
- **Sectors:** Telecommunications, Internet Service Providers (ISPs), and Universities.
- **Geography:** Global, including the United States (US), South Africa, Thailand, Italy, Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherlands, and Vietnam.
- **Victims:**
- At least nine major US telecommunications companies (historically).
- Five global telecoms/ISPs (recent activity, including one US firm and a US affiliate of a UK telecom).
- Over a dozen universities globally (recent activity), explicitly mentioning University of California, California State, Utah Tech, and Loyola University.
## Tools & Infrastructure
- **Malware families used:** Not explicitly detailed, but access is maintained via GRE tunnels.
- **Infrastructure (C2, domains, IPs):**
- Utilizes proprietary command-and-control servers.
- Established **GRE tunnels** for persistent, private communication channels.
## Implications
- The scale and persistence of Salt Typhoon's operations, even after significant attribution (including Treasury sanctions), show high confidence and organizational resilience.
- Compromising telecommunication infrastructure provides an unparalleled level of access, potentially allowing real-time monitoring and exfiltration of sensitive communications (texts and calls).
- The hacking of core network infrastructure (routers) bypassing typical endpoint security is a major espionage technique.
## Mitigations
- Urgently follow Cisco's recommendations to **upgrade to fixed software releases** for IOS software vulnerabilities in web interfaces that were exploited in 2023.
- Harden or restrict access to internet-exposed web interfaces on network appliances (routers, switches).
- Deploy end-to-end encrypted communication applications (e.g., Signal) for sensitive communications, as traditional phone carrier communications have been shown to be vulnerable to real-time spying via network compromise.