Full Report
Chinese threat actor Salt Typhoon used JumbledPath, a custom-built utility, to gain access to a remote Cisco device, said the network provider
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
Chinese state-sponsored hackers.
## Activity Summary
Salt Typhoon was observed using custom utilities to stealthily monitor network traffic and potentially steal sensitive data from US telecommunication providers. They gained access to core networking infrastructure, specifically Cisco devices, using stolen legitimate victim login credentials. They used compromised devices as stepping stones for lateral movement between different telecom providers.
## Tactics, Techniques & Procedures
- Used Living-Off-The-Land (LOTL) techniques to obtain initial access via legitimate victim login credentials.
- Stole device configurations, often via TFTP/FTP, to gather sensitive information like SNMP strings and weakly encrypted passwords.
- Used a custom-built utility named **JumbledPath** (written in Go, ELF binary, x86-64 architecture) executed within Cisco Guest Shell instances to remotely execute packet captures on Cisco devices.
- Modified network device configurations.
- Attempted to clear logs across the jump path to impair logging and obfuscate activity (cleared `.bash_history`, `auth.log`, `lastlog`, `wtmp`, and `btmp`).
- Modified Authentication, Authorization, and Accounting (AAA) server settings with supplemental addresses under their control to bypass access control systems.
- Restored shell access to a normal state using the “guestshell disable” command after operations were complete.
## Targeting
- Sectors: Telecommunication providers
- Geography: United States (Implied, targeting US providers)
- Victims: US telecommunication providers
## Tools & Infrastructure
- Malware families used: **JumbledPath** (custom utility)
- Infrastructure (C2, domains, IPs - defang URLs): Not explicitly detailed, but utilized actor-configured Guest Shell instances and actor-defined jump hosts/connections for obfuscation and remote execution.
## Implications
Salt Typhoon demonstrates a sophisticated capability to compromise and maintain persistent, stealthy access within critical telecommunications infrastructure. Their use of custom Go-based tooling (JumbledPath) within the Cisco Guest Shell environment allows for deep monitoring and data exfiltration while actively obscuring the trail via log clearing and complex jump chaining. This poses a significant risk for espionage and intelligence gathering against US critical infrastructure.
## Mitigations
- Disable unnecessary underlying non-encrypted web servers using the “no ip http server” and “no ip http secure-server" commands.
- Disable Telnet; configure all VTY lines to use “transport input ssh” and “transport output none.”
- Disable Guest Shell access if not required, using the “guestshell disable” command.
- Disable Cisco’s Smart Install service using “no vstack.”
- Configure local account credentials using type 8 passwords.
- Configure TACACS+ keys using type 6.