Salt Typhoon remains active, hits more telecom networks via Cisco routers

Salt Typhoon, the Chinese nation-state threat group linked to a spree of attacks on U.S. and global telecom providers, remains active in its intrusion and has hit multiple additional networks worldwide, including two in the United States, Recorded Future said in a report released Thursday.

Recorded Future’s Insikt Group observed seven compromised Cisco network devices communicating with Salt Typhoon infrastructure on five telecom networks between early December and late January. The compromised companies include an unnamed U.S. internet service provider and telecom company, a U.S.-based affiliate of a U.K. telecom provider, a large telecom provider in Thailand, an Italy-based ISP and a South Africa-based telecom provider.

Salt Typhoon’s ongoing attack spree underscores the enduring challenge global cyber authorities and network defenders confront in trying to thwart the nation-state group’s activities. U.S. and White House officials in December warned they may never know if the group has been completely booted from networks. 

Attackers primarily targeted internet-exposed Cisco network routers over the past couple months, according to Recorded Future. Tracked as RedMike by the company, the group has attempted to exploit more than 1,000 Cisco routers worldwide — focusing mainly on those running in telecom networks — since early December.

The threat group exploited a pair of known privilege escalation vulnerabilities in Cisco IOS XE, the vendor’s operating system for networking devices, Recorded Future said in the report. 

Vulnerabilities in network devices are a common intrusion point for cyberattacks.

The pair of CVEs impacting Cisco IOS XE — CVE-2023-20198 and CVE-2023-20273 — were the third and fourth most routinely-exploited vulnerabilities in 2023, according to a Five Eyes cyber advisory released in November. 

In the attacks monitored by Recorded Future, Salt Typhoon chained multiple vulnerabilities together. First, it exploited  CVE-2023-20198, a vulnerability with a 10 score on the CVSS scale, in order to create a local user and password on the targeted device. Using this new account, it then accessed the device and exploited CVE-2023-20273 to gain root user privileges.

“We have not observed other initial access vectors related to this campaign at this time,” Jon Condra, senior director of strategic intelligence at Recorded Future, said in an email. “We also have no indication that the previously publicized intrusions against AT&T, Verizon, etc. linked to Salt Typhoon were linked to these specific vulnerabilities or Cisco devices more broadly.”

Authorities haven’t identified the primary initial access point for Salt Typhoon’s attacks, but hardening guidance released by U.S. and global officials in December specifically called out the need for network defenders to address the risk of Cisco device exploitation. Officials didn’t mention specific vulnerabilities in the guidance, but advised organizations to refer to Cisco’s hardening guides for NX-OS software devices and IOS-XE.

“In 2023, Cisco published a security advisory disclosing multiple vulnerabilities in the web UI feature in Cisco IOS XE software,” a Cisco spokesperson said via email. “We continue to strongly urge customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release.”

The majority of the Cisco devices targeted by Salt Typhoon since early December were used by telecom providers based in the U.S., South America and India, but other targeted devices were spread across more than 100 countries, according to Recorded Future. Researchers also observed Salt Typhoon attempting to exploit Cisco devices used by universities in nine countries, including four in the U.S., potentially targeting research related to telecom, engineering and technology.

Salt Typhoon’s attack spree targeting global telecom networks began up to two years before it was discovered by U.S. officials in late spring of last year. The Chinese nation-state threat group gained broad and full access to U.S. telecom networks, stole metadata, geolocated millions of individuals at will and directly targeted and stole communications of about 100 individuals involved in government or political activities.

Salt Typhoon is one of three known and active threat groups affiliated with China’s government. U.S. authorities have been warning about Chinese hacking efforts targeting critical infrastructure with increasing alarm since early 2024. 

Recorded Future’s research on the group’s ongoing activities follows a series of sanctions placed on China-based organizations and individuals for their alleged involvement in the telecom network attacks and a December hack of the Treasury Department.