Salt Typhoon gained initial access to telecoms through Cisco devices

Salt Typhoon gained initial access to Cisco devices as part of the Chinese nation-state threat group’s sweeping attacks on U.S. telecom networks, the company confirmed Thursday in a threat intelligence report.

Cisco Talos, the networking vendor’s threat intelligence unit, said it observed one instance where Salt Typhoon likely exploited a seven-year-old critical vulnerability in Cisco IOS XE (CVE-2018-0171). Yet, researchers asserted Salt Typhoon gained initial access to Cisco devices with legitimate login credentials in all other incidents it’s investigated to date.

The report marks the first time Cisco acknowledged the role its equipment played in Salt Typhoon’s attack spree on telecom networks. Recorded Future last week said five additional telecom networks were hit by Salt Typhoon via a pair of other vulnerabilities in Cisco IOS XE (CVE-2023-20198 and CVE-2023-20273) between early December and late January.

Cisco Talos said it hasn’t identified any evidence to confirm Salt Typhoon’s exploitation of other known Cisco vulnerabilities. The company declined to answer questions. 

“Cisco Talos published a blog about the threat actor Salt Typhoon’s campaign, based on Cisco’s investigation while assisting law enforcement and victims of the attacks,” a company spokesperson said via email. “Our findings do not cover the entirety of the Salt Typhoon campaign or all affected infrastructure, as these go beyond the scope of Cisco’s engagement and technology. As always, we strongly advise customers to patch known vulnerabilities and follow industry best practices for securing management protocols.”

Salt Typhoon’s primary initial access point for attacks on telecom networks hasn’t been identified by authorities, but U.S. and global officials advised network defenders to address the risk of Cisco device exploitation in guidance released in December. The Cybersecurity and Infrastructure Security Agency declined to comment on Cisco’s report.

Cisco Talos reaffirmed other previously shared threat intelligence, particularly Salt Typhoon’s ability to gain persistent access to telecom networks’ infrastructure with living-off-the-land techniques, describing it as a hallmark of the campaign. 

The threat group maintained access to one target environment for more than three years, according to Cisco Talos.

Researchers said it’s unknown how Salt Typhoon obtained valid credentials to Cisco devices, but noted the threat group actively attempted to acquire additional credentials through network device configurations and local accounts with weak passwords. Salt Typhoon also captured network protocol traffic, including secret keys used between network devices to likely obtain additional credentials, the report said.

Another key component of Salt Typhoon’s activities involved continued movement through compromised infrastructure. Researchers said the threat group blended its activity into normal operations by jumping through trusted infrastructure.

“The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom,” the report said. “We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target in several instances.”

Most of Salt Typhoon’s movement across infrastructure involved network equipment from different vendors, according to Cisco Talos.

“The long timeline of this campaign suggests a high degree of coordination, planning and patience — standard hallmarks of advanced persistent threat and state-sponsored actors,” researchers said in the report.