Full Report
A joint advisory issued by Australia, Canada, New Zealand, and the U.S. has warned of a broad cyber espionage campaign undertaken by People's Republic of China (PRC)-affiliated threat actors targeting telecommunications providers. "Identified exploitations or compromises associated with these threat actors' activity align with existing weaknesses associated with victim infrastructure; no novel
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
Attributed to a nation-state threat actor affiliated with the People's Republic of China (PRC).
**Known Aliases/Associated Groups:** Earth Estries, FamousSparrow, GhostEmperor, UNC2286.
**Activity Timeline:** Active since at least 2020, with artifacts developed as early as 2019.
## Activity Summary
A broad cyber espionage campaign targeting telecommunications providers globally. The actors have been observed lurking inside U.S. telecommunications networks for approximately six months following the commencement of an investigation. The intrusions aim to glean sensitive information. China has rejected the allegations.
## Tactics, Techniques & Procedures
The reported activity aligns with exploiting existing weaknesses in victim infrastructure; no novel activity was explicitly observed in the advisory.
- Exploitation of known weaknesses in victim infrastructure.
- *Specific TTPs were not detailed beyond exploitation of existing weaknesses, such as specific CVEs or techniques.*
- **MITRE ATT&CK IDs:** Not specified in the provided text.
## Targeting
- **Sectors:** Telecommunications providers.
- **Geography:** Implied global targeting, with specific mention of actors lurking in U.S. networks.
- **Victims:** A number of U.S. telecommunications companies (T-Mobile acknowledged infiltration attempts).
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named in the summary.
- **Infrastructure:** Not detailed/defanged in the summary.
## Implications
This sustained espionage campaign against critical telecommunications infrastructure highlights the PRC's ongoing efforts to gain strategic intelligence from key global communication backbones. The actors' persistence (remaining undetected for months) suggests a sophisticated, long-term espionage objective tied to geopolitical tensions (e.g., U.S. restrictions on the semiconductor industry).
## Mitigations
A comprehensive set of hardening guidance was issued:
- Scrutinize and investigate configuration modifications on network devices (switches, routers, firewalls).
- Implement strong network flow monitoring and management capability.
- Limit exposure of management traffic to the internet.
- Monitor user and service account logins for anomalies.
- Implement secure, centralized logging with correlation capabilities.
- Ensure device management is physically isolated from customer/production networks.
- Enforce a strict, default-deny Access Control List (ACL) strategy for inbound/egress traffic.
- Employ strong network segmentation (using ACLs, stateful packet inspection, firewalls, DMZs).
- Secure VPN gateways by limiting external exposure.
- Ensure end-to-end encryption is maximized; use TLS v1.3 for TLS-capable protocols.
- Disable unnecessary discovery protocols (CDP, LLDP) and exploitable services (Telnet, FTP, TFTP, SSH v1, HTTP servers, SNMP v1/v2c).
- Disable Internet Protocol (IP) source routing.
- Ensure no default passwords are used.
- Verify software image integrity using trusted hashing calculations.
- Conduct port-scanning of internet-facing infrastructure to check for unauthorized services.
- Monitor for vendor End-of-Life (EOL) announcements and upgrade immediately.
- Store passwords with secure hashing algorithms.
- Require phishing-resistant Multi-Factor Authentication (MFA) for all system access.
- Limit session token durations and enforce reauthentication.
- Implement Role-Based Access Control (RBAC) and periodically review accounts.
- Patch vulnerable devices and services.