Introduction
Salt Typhoon [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], a group of Chinese state-sponsored hackers, has been conducting a sophisticated cyberespionage campaign targeting US telecommunications infrastructure and government entities since at least 2019. This campaign, linked to Chinese intelligence [8], has involved widespread intrusions into major telecommunications companies and networks across several countries.
Description
Chinese state-sponsored hackers [2] [6] [9] [10], known as Salt Typhoon (also referred to as Earth Estries, FamousSparrow [3], and GhostEmperor) [3], have been targeting US telecommunications infrastructure and government entities since at least 2019, employing a sophisticated cyberespionage campaign linked to Chinese intelligence. This highly advanced threat actor has been responsible for widespread intrusion activities against multiple major telecommunications companies [4], including Verizon [2] [4], AT&T [2] [9], T-Mobile [2] [9], and Lumen Technologies [2] [9], as well as networks in Italy, South Africa [3], and Thailand [3]. They primarily gain access to core networking infrastructure by exploiting stolen login credentials and known vulnerabilities, such as CVE-2018-0171 [2], which allows for remote code execution [1], and have also attempted to exploit CVE-2023-20198, CVE-2023-20273 [1] [3] [6], and CVE-2024-20399 [1] [3] [6]. Despite a fix being released in 2018 [8], many systems remained unpatched [8], allowing for persistent access to compromised environments [9], with some instances lasting over three years [9].
Salt Typhoon typically gains initial access to Cisco devices through living-off-the-land (LOTL) methods, allowing them to exfiltrate sensitive configurations, including weakly encrypted SNMP community strings and local account credentials [7]. This facilitates lateral movement through GRE tunnels and modified loopback interfaces [7], with attackers cleverly altering loopback addresses to circumvent Access Control Lists (ACLs). Their operations often involve infrastructure pivoting, using compromised devices as stepping stones to reach additional targets while evading detection [10]. They frequently clear relevant logs [10], such as .bash_history and auth.log, to further obscure their activities and modify authentication, authorization [2] [10], and accounting (AAA) server settings to bypass access control systems [10]. Notably, they have breached lawful intercept systems used for wiretapping [8], accessing personal communications of high-profile officials [8], including President Donald Trump and Vice President JD Vance [8].
A custom-built utility named JumbledPath exemplifies the technical sophistication of Salt Typhoon [7]. Written in Go and compiled as an ELF binary for x86-64 architecture [4] [10], JumbledPath is designed for use across Linux operating systems, including various multi-vendor network devices [4]. This malware, discovered in actor-configured Guest Shell environments on Cisco Nexus devices [4] [10], captures packets [3], creates encrypted packet capture chains [7], and enables the execution of remote tcpdump sessions via actor-defined SSH jump hosts. It systematically clears logs and impairs logging along the jump path, returning the resultant compressed [4], encrypted capture through a series of unique connections [4] [10]. The attackers have also altered TACACS+ server IP addresses to intercept authentication traffic and injected SSH authorized_keys entries into /etc/shadow for backdoor access [7].
Cisco’s forensic teams have noted password decryption attacks against weak Type 4/5 hashes [7], underscoring the need for stronger encryption methods like Type 8 (PBKDF2-SHA-512). Mitigation strategies against these threats include immediate patching of CVE-2018-0171 and related vulnerabilities, along with significant hardening of TACACS+/RADIUS implementations [7]. Cisco emphasizes the importance of disabling non-essential services [7], such as Smart Install and Guest Shell, and enforcing NETCONF/RESTCONF encryption as critical measures against future LOTL-based attacks [7]. Security researchers recommend that organizations conduct thorough audits of network configurations [2], monitor authentication and authorization activities [2], and analyze system logs for signs of intrusion [2]. Anomalous changes in network behavior and unexpected modifications to device configurations should be investigated [2], while enhancing credential security [2], implementing multi-factor authentication [1] [2], and encrypting network traffic are advised to prevent unauthorized access [2]. The US Treasury Department has also sanctioned Sichuan Juxinhe Network Technology Co [8]. for its involvement in the Salt Typhoon operations [8], while the Chinese government has denied any participation in cyberattacks against US systems [8]. By late October 2024 [9], the FBI and CISA reported breaches affecting multiple major US telecom providers as part of an investigation into unauthorized access to commercial telecommunications infrastructure linked to actors affiliated with the People’s Republic of China.
Conclusion
The activities of Salt Typhoon have significant implications for global cybersecurity, particularly in the telecommunications sector. The persistent nature of their intrusions highlights the critical need for organizations to implement robust security measures, including timely patching of vulnerabilities, strengthening encryption protocols, and enhancing network monitoring. As cyber threats continue to evolve, collaboration between government agencies and private sector entities will be essential in mitigating risks and safeguarding sensitive information. The ongoing investigation by the FBI and CISA underscores the importance of vigilance and proactive defense strategies in the face of sophisticated cyber adversaries.
References
[1] https://gbhackers.com/salt-typhoon-hackers-exploit-cisco-vulnerability/
[2] https://www.techmonitor.ai/technology/cybersecurity/salt-typhoon-exploits-cisco-devices-to-access-us-telecom-infrastructure
[3] https://securityaffairs.com/174460/apt/salt-typhoon-custom-malware-jumbledpath-to-spy-u-s-telecom-providers.html
[4] https://blog.talosintelligence.com/salt-typhoon-analysis/
[5] https://hackaday.com/2025/02/21/this-week-in-security-openssh-jumbledpath-and-ransacked/
[6] https://www.cybersecuritydive.com/news/cisco-salt-typhoon-used-new-custom-malware-in-telecom-attacks/740629/
[7] https://cybersecuritynews.com/salt-typhoon-hackers-exploit-cisco-vulnerability/
[8] https://www.nextgov.com/cybersecurity/2025/02/salt-typhoon-hackers-exploited-stolen-credentials-and-7-year-old-software-flaw-cisco-systems/403146/
[9] https://www.techradar.com/pro/security/salt-typhoon-hackers-used-this-clever-technique-to-attack-us-networks
[10] https://www.infosecurity-magazine.com/news/salt-typhoon-cisco-custom-tool/
