Full Report
China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices. [...]
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
Threat actor attributed to China. Known alias: **Salt Typhoon**.
## Activity Summary
Salt Typhoon remains actively engaged, targeting telecommunications organizations globally. The group has been exploiting vulnerabilities in Cisco IOS XE network devices to maintain persistence and escalate privileges.
## Tactics, Techniques & Procedures
- Exploitation of **CVE-2023-20198** and **CVE-2023-20273** in Cisco IOS XE.
- Privilege escalation techniques.
- Web UI command injection.
## Targeting
- Sectors: Telecommunications (Telecoms, ISPs, Mobile Carriers).
- Geography: Worldwide (Implied, focusing on global telecoms).
- Victims: Telecommunications organizations globally.
## Tools & Infrastructure
- Malware families used: Not explicitly named (focus is on exploitation vectors).
- Infrastructure: Not detailed in the summary provided.
## Implications
The sustained targeting of critical telecommunications infrastructure by a state-sponsored actor like Salt Typhoon poses a significant risk to global communications continuity and national security interests, especially given the use of severe, unpatched vulnerabilities leading to device takeover.
## Mitigations
- Immediately patch all vulnerable Cisco IOS XE network devices, specifically addressing CVE-2023-20198 and CVE-2023-20273.
- Implement robust intrusion detection/prevention systems to monitor for exploitation attempts targeting web interfaces on network devices.