Pierluigi Paganini
February 20, 2025
Cisco Talos researchers reported that China-linked APT group Salt Typhoon uses a custom-built utility, dubbed JumbledPath, to spy on network traffic of U.S. telecommunication providers. China-linked APT group Salt Typhoon (also known as FamousSparrow and GhostEmperor) and has been active since at least 2019 and targeted government entities and telecom companies.
The China-linked APT group is still targeting telecommunications providers worldwide, and according to a report recently published by Recorded Future’s Insikt Group, the threat actors has breached more U.S. telecommunications providers by exploiting unpatched Cisco IOS XE network devices.
Insikt Group researchers reported that the Chinese hacked have exploited two Cisco flaws, tracked as CVE-2023-20198 and CVE-2023-20273.
Insikt researchers reported that ongoing attacks have breached multiple telecom networks, including ISPs in the U.S. and Italy, a U.K.-affiliated U.S. telecom, and providers in South Africa and Thailand.
“Using internet scanning data, Insikt Group identified more than 12,000 Cisco network devices with their web UIs exposed to the internet.” reads the report published by Insikt. “Although over 1,000 Cisco devices were targeted, Insikt Group assesses that this activity was likely focussed, given that this number only represents 8% of the exposed devices and that RedMike engaged in periodic reconnaissance activity, selecting devices linked to telecommunications providers.”
RedMike used generic routing encapsulation (GRE) tunnels on compromised Cisco devices to maintain persistence, evade detection, and stealthily exfiltrate data by encapsulating it within GRE packets.
Cisco Talos researchers now report that Salt Typhoon breached major U.S. telecom firms for over three years, mainly using stolen credentials, with limited vulnerability exploitation.
Cisco states that only in one instance, the APT group exploited a new flaw in its products, the vulnerability CVE-2018-0171. The vulnerability affects the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software, it could be exploited by an unauthenticated, remote attacker to cause a reload of a vulnerable device or to execute arbitrary code on an affected device.
“No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims.” reads the report published by Cisco Talos.” Note that each of these CVEs have security fixes available. Threat actors regularly use publicly available malicious tooling to exploit these vulnerabilities, making patching of these vulnerabilities imperative.”
Cisco reported that Salt Typhoon used stolen credentials, captured network configs, and intercepted SNMP, TACACS, and RADIUS traffic to gather more credentials for further access. However, it is still unclear how the group obtained the credentials employed in the attacks.
The group exfiltrated device configs via TFTP/FTP, exposing weakly encrypted passwords, SNMP credentials, and network details for further reconnaissance. The threat actors relied on machine-to-machine pivoting to perform lateral movement inside the telecom networks.
“The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom. We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target in several instances.” continues the report. “Some of these hop points were also used as a first hop for outbound data exfiltration operations. Much of this pivoting included the use of network equipment from a variety of different manufacturers.”
The attackers manipulated network settings by enabling Guest Shell for command execution, modifying access control lists (ACLs), and creating stealthy hidden accounts.
Salt Typhoon used the JumbledPath tool to remotely capture packets via jump-hosts, clear logs, and exfiltrate encrypted data.
JumbledPath is written in GO and compiled as an ELF binary using an x86-64 architecture to use the utility on Linux operating systems.
The threat actor attempted to evade detection by altering loopback addresses to bypass ACLs, clearing logs to hide activity, disabling Guest Shell, and modifying AAA settings for unauthorized access.
The report includes Indicators of Compromise (IOCs) for this campaign along with recommendations to mitigate the Salt Typhoon attacks.
In mid-December 2024, the researchers also spotted the Salt Typhoon group performing reconnaissance against multiple infrastructure assets operated by a Myanmar-based telecommunications provider, Mytel.
In January, The Wall Street Journal reported that the China-linked cyberespionage group Salt Typhoon targeted more US telecoms than previously known.
According to WSJ, which cited people familiar with the matter, the Chinese cyberspies also compromised Charter Communications and Windstream. The threat actors exploited vulnerabilities in network devices from security major vendor, including Cisco and Fortinet.
At the end of December 2024, a White House official confirmed that China-linked APT group Salt Typhoon has breached a ninth U.S. telecoms company as part of a cyberespionage campaign aimed at telco firms worldwide.
In early December 2024, President Biden’s deputy national security adviser Anne Neuberger said that China-linked APT group Salt Typhoon had breached telecommunications companies in dozens of countries.
The Wall Street Journal reported that the senior White House official revealed that at least eight U.S. telecommunications firms were compromised in the attack.
The Salt Typhoon hacking campaign, active for 1–2 years, has targeted telecommunications providers in several dozen countries, according to a U.S. official.
In December, Lumen announced that the Salt Typhoon APT group, was locked out of its network, TechCrunch reported. The company added that it is not aware of a data breach.
In December, US carriers AT&T and Verizon also reported they had secured their networks after cyberespionage attempts by the China-linked Salt Typhoon group.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
