Full Report
Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention.
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
* **Identification:** Highly sophisticated threat actor group.
* **Attribution:** Evidence strongly suggests activity is state-sponsored (based on sophistication, targeting, coordination, and patience).
* **Known Aliases and Associated Groups:** None explicitly named other than "Salt Typhoon."
## Activity Summary
Salt Typhoon is conducting widespread intrusion activity against major U.S. telecommunications companies, reported in late 2024 and confirmed by the U.S. government. The actor focuses on gaining access to and maintaining persistent access within core networking infrastructure across multiple vendors. In at least one instance, persistent access lasted over three years. The actor uses compromised infrastructure from one telecom provider to pivot and target devices in other telecom providers, often using the initial hop point without it being the final target. The primary objective appears to be information collection.
## Tactics, Techniques & Procedures
- **Initial Access:** Primarily achieved via *obtaining legitimate victim login credentials*.
- **Vulnerability Exploitation:** Evidence suggests abuse of CVE-2018-0171 (Cisco IOS/IOS XE Smart Install RCE) in at least one case.
- **Persistence/Lateral Movement:** Demonstrated ability to persist across vendor equipment for extended periods. Utilizes "machine to machine" pivoting/jumping through compromised infrastructure to move within trusted sets and bypass standard network segmentation.
- **Living Off The Land (LOTL):** A hallmark of the campaign involves using LOTL techniques on network devices themselves.
- **Credential Harvesting:** Attempts to acquire additional credentials by obtaining network device configurations and deciphering local accounts configured with weak/cryptographically weak password encryption methods.
- **Traffic Capture:** Capturing SNMP, TACACS, and RADIUS traffic, including secret keys, to enumerate credential details.
- **Configuration Exfiltration:** Exfiltrating device configurations (often containing SNMP R/W community strings and weakly encrypted local accounts) typically over TFTP and/or FTP.
## Targeting
- **Sectors:** Telecommunications industry (primary victims).
- **Geography:** United States (major U.S. telecommunications companies).
- **Victims:** Major U.S. telecommunications companies; general advice is relevant to all infrastructure defenders.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed, but relies heavily on leveraging native network protocols and device capabilities (LOTL).
- **Infrastructure:** Pivoting capabilities using compromised telecom infrastructure as trusted hop points for access and data exfiltration.
## Implications
The actor is highly sophisticated, well-funded, and demonstrates a high degree of planning and patience characteristic of APT groups. The successful compromise of core networking infrastructure enables extensive, long-term information gathering and potentially significant operational disruption within critical national infrastructure sectors. The use of stolen credentials and device configurations (containing secrets) for persistence highlights a deep understanding of network security hygiene failures.
## Mitigations
- **Patching:** Immediately patch or decommission legacy devices susceptible to known vulnerabilities (e.g., CVE-2018-0171).
- **Credential Management:** Enhance overall credential and password management:
- Use strong keys/encryption for management protocols (RADIUS/TACACS+).
- Use Type 8 passwords for local account credential configuration.
- Use Type 6 for TACACS+ key configuration.
- **Configuration/Trust:** Do NOT allow network devices to be the trusted source of truth for their configurations. Store and push configurations centrally.
- **Protocol Security:**
- Prevent and monitor for exposure of administrative/unusual interfaces (SNMP, SSH, HTTP(s)).
- Disable all non-encrypted web management capabilities.
- Verify and enforce correct Access Control Lists (ACLs) for all management protocols (SNMP, SSH, Netconf, etc.).
- **Monitoring:** Monitor for credential harvesting attempts, configuration exfiltration over uncommon paths (TFTP/FTP), and unusual lateral movement between network segments or different telecom providers.