Full Report
The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide. [...]
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
Attribution points to a Chinese cyber-espionage group.
**Known Aliases and Associated Groups:** Ghost Emperor, FamousSparrow, Earth Estries, and UNC2286. They are described as a state-backed hacking group linked to a Chinese cybersecurity firm that the FBI and US sanctions targeted.
## Activity Summary
Salt Typhoon has been actively breaching government entities and telecommunication companies since at least 2019. Recent activities (December 2024 - January 2025) show continued targeting of telecoms globally by exploiting vulnerabilities in unpatched Cisco IOS XE network devices.
## Tactics, Techniques & Procedures
- Exploiting privilege escalation vulnerabilities.
- Exploiting Web UI command injection vulnerabilities.
- Utilizing custom malware (`JumbledPath`) to stealthily monitor network traffic.
- Likely goal is capturing sensitive data from compromised networks.
## Targeting
- **Sectors:** Telecommunications companies (including ISPs) and government entities.
- **Geography:** Worldwide, including the U.S., U.K., Italy, South Africa, and Thailand.
- **Victims:** A U.S. internet service provider (ISP), a U.S.-based affiliate of a U.K. telecommunications provider, an Italian ISP, a South African telecom provider, and a large Thai telecommunications provider.
## Tools & Infrastructure
- **Malware families used:** Custom tool named `JumbledPath`.
- **Infrastructure (C2, domains, IPs):** Not explicitly listed in detail; focus is on the exploitation of Cisco devices.
## Implications
This actor demonstrates persistent, state-sponsored cyber-espionage, focusing on critical infrastructure like telecommunications providers—which are essential for general communications and potentially wiretapping platforms. The continuous exploitation of known Cisco vulnerabilities suggests a high level of operational persistence and potential supply chain risk related to hardware/software vendors. U.S. authorities are taking significant countermeasures, including potential bans on certain Chinese networking hardware (TP-Link) and restricting operations of entities like China Telecom.
## Mitigations
- Promptly patch Cisco IOS XE network devices to address privilege escalation and Web UI command injection vulnerabilities.
- Monitor networks for the presence and activity of the custom `JumbledPath` malicious tool, focusing on network traffic monitoring processes.
- Adhere to security guidance provided by the FBI/CISA regarding critical infrastructure compromise.
- Note the FBI's offer of up to a $10 million reward for information leading to the identification of government-linked foreign hackers.