Cisco further exposes Salt Typhoon intrusions of telecoms networks

Cisco has provided further details about the sweeping cyber espionage campaign known as Salt Typhoon that has compromised telecoms providers.

The suspected Beijing-linked threat actor has demonstrated advanced capabilities, including prolonged persistence in compromised systems and extensive exfiltration of sensitive data. Cisco Talos, the research arm of Cisco, has been closely tracking this operation, initially reported in late 2024 and later confirmed by US government agencies.

In their investigation, Cisco Talos revealed that Salt Typhoon managed to infiltrate the core networks of multiple telecom firms—exploiting vulnerabilities and misused credentials to maintain covert access for years.

Cisco Talos posits that the sophistication and focus of Salt Typhoon supports the likelihood of the involvement of a state-sponsored advanced persistent threat (APT) group. The targeted nature of the campaign, its extensive planning, and technical execution fit hallmarks of state-level cyber operations.

Living-off-the-Land methods exploited

One signature trait of the campaign is Salt Typhoon’s extensive use of “living-off-the-land” (LOTL) techniques. Instead of relying on custom malware, the attackers used inherent functionalities and administrative tools within the compromised environments to avoid detection.

Anonymous sources for Telecoms have warned that state-linked personnel are embedded within Western telcos, some for as long as 20 years. While some are “professional intelligence officers,” others are just agents “doing their government’s bidding” that can range from influence to direct espionage and sabotage.

By leveraging tools present or placed in network devices, Salt Typhoon managed to persist undetected for extended periods—Cisco uncovered one case maintaining access for more than three years.

While there is evidence suggesting that a legacy Cisco vulnerability – CVE-2018-0171 – was exploited in one instance, the majority of intrusions were achieved using legitimate login credentials stolen from targeted victims.

Further access was achieved by harvesting new credentials through compromised devices, weak password encryption methods, and intercepting network traffic such as SNMP, TACACS, and RADIUS.

Key techniques and methods immediately actionable

Salt Typhoon’s strategies reflect a clear focus on expansion and defence evasion within targeted networks. Notable tactics include:

Credential compromise and expansion

The intruders prioritised capturing credentials and authentication materials stored in device configurations, such as SNMP community strings. Encryption weaknesses were exploited, allowing attackers to decrypt passwords offline with ease. Moreover, traffic capturing tools like *tcpdump* and Cisco-specific commands like *tpacap* were used to monitor sensitive data and discover security keys.

Exfiltration of configurations

The attackers exfiltrated network configurations over TFTP or FTP in numerous cases. These files often contained authentication material and a detailed blueprint of the compromised network, enabling follow-up reconnaissance and lateral movement.

Infrastructure pivoting

Salt Typhoon expertly “jumped” between compromised devices, minimising suspicious activity and leveraging trusted sources to execute their operations. In some scenarios, compromised devices within one telecom were used as gateways to attack systems in another telecom, underscoring the interconnectedness of these networks.

Advanced techniques: Device modifications, packet captures, and defence evasion

Salt Typhoon demonstrated a robust arsenal of advanced techniques that allowed them to remain undetected while deeply embedding themselves within target networks.

Device and configuration modifications

The threat actor tampered with network devices and their running configurations to gain persistent access and facilitate lateral movement.

Key changes observed included:

• Changing AAA (Authentication, Authorisation, and Accounting) server IPs.
• Modifying Access Control Lists (ACLs).
• Enabling or disabling *Guest Shell*, a Linux-based subsystem.
• Adding SSH keys for unauthorised persistent access.

This level of system-level tampering points to an in-depth understanding of network administration and advanced technical expertise.

Packet capture techniques

To exfiltrate data covertly, the attackers leveraged powerful tools to capture network traffic. General utilities like tcpdump and Cisco-specific features such as Embedded Packet Capture (EPC) were used.

Hackers also rolled out their proprietary tool, JumbledPath, an x86-64 binary enabling encrypted and obfuscated packet captures through complex jump-paths. This tool not only concealed the origin and destination of data but also masked unauthorised remote activities with high efficiency.

Defence evasion strategies

Salt Typhoon employed meticulous strategies to avoid detection.

Log files like .bash_history, auth.log, and wtmp were routinely cleared to erase evidence of their activities. The attackers also modified device states, such as switching off Guest Shell after use, resetting SSH configurations to their defaults, and altering loopback interface IPs to bypass access restrictions.

Mitigation recommendations

Faced with an adversary as sophisticated as Salt Typhoon, Cisco underscores the need for network infrastructure defenders to adhere to stringent security practices and has recommended both Cisco-specific and general measures:

Cisco-specific

• Disable legacy features and unused services: Shut down services such as Smart Install (`no vstack`) and non-encrypted web servers (`no ip http server`).
• Strengthen password encryption: Use stronger password types such as type 8 for local credentials and type 6 for TACACS+ key configurations.
• Restrict Guest Shell access: Disable Guest Shell on devices not requiring this functionality (`guestshell disable`).

General best practices

• Regularly patch devices: Update software and hardware to mitigate known vulnerabilities like CVE-2018-0171.  
• Adopt stringent access controls: Replace default passwords with complex ones and implement multi-factor authentication across systems.  
• Implement comprehensive monitoring: Monitor logs and network behaviours for unusual activity, such as SSH connections on abnormal ports or abrupt decreases in log activity.  
• Centralise configuration storage: Store configurations externally rather than relying on the device itself as the source of truth.

Cisco has also provided the following IP addresses associated with potentially related malicious activity (unconnected to Salt Typhoon but useful for mitigation):

• 185.141.24.28
• 185.82.200.181

Salt Typhoon: A reminder of persistent and evolving threats

The Salt Typhoon campaign stands as a grave reminder of the persistent and evolving threats facing critical infrastructure providers. While telecoms companies were the primary focus in this case, these findings underscore the vulnerabilities faced by entities across all sectors.

During their investigation, Cisco also detected separate, unrelated targeting of their Smart Install feature, highlighting the ongoing risks posed by neglected vulnerabilities in legacy systems.

Robust segmentation, device patching, credential hygiene, and detailed logging are critical to prevent similar breaches in the future. 

As the Salt Typhoon investigation is ongoing, organisations are advised to stay alert for updated guidance and proactively strengthen their cyber defences. Telecoms will have a lot more on this in the coming weeks.

See also: Jen Easterly, CISA: Critical infrastructure threats are increasing

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: china, cisco, cyber security, cybersecurity, espionage, hacking, infosec, Networks, salt typhoon, Security, telecoms