Full Report
The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers. [...]
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
Attributed to **Chinese hackers** (Chinese threat actors). No specific group name beyond the operational designation "Salt Typhoon" is provided in the summary context.
## Activity Summary
The actor is engaged in long-term espionage, specifically targeting and spying on **US telecom networks** over the past couple of years. Their primary objective has been to compromise edge networking devices (like routers and firewalls) to monitor network communications, steal credentials, and use the devices as proxy servers for further relayed attacks.
## Tactics, Techniques & Procedures
- **Initial Access/Persistence:** Gaining **Guest Shell access** to execute commands.
- **Defense Evasion/Persistence:** **Altering access control lists (ACLs)** and **creating hidden accounts**.
- **Discovery/Collection:** Using packet-capturing tools like **Tcpdump**, **Tpacap**, and **Embedded Packet Capture**.
- **Custom Malware Usage:** Employing the custom tool **JumbledPath**.
- **Evidence Tampering:** **Disabling logging** and **clearing existing logs** to erase forensic traces.
- **Attack Staging:** Utilizing a **jump-host** (intermediary system) during packet capture actions to make traffic appear to originate from a trusted internal device and obfuscate the attacker's location.
## Targeting
- **Sectors:** Telecom networks. The context also mentions previous targeting of vendors like Fortinet, Barracuda, SonicWall, Check Point, D-Link, Cisco, Juniper, NetGear, and Sophos (implying critical infrastructure and networking hardware manufacturers).
- **Geography:** Primarily targeting entities within the **US**.
- **Victims:** Specific US telecom networks (exact names not detailed in the provided text excerpt, but implied to be operating within the US telecom sector).
## Tools & Infrastructure
- **Malware families used:** Custom tool named **JumbledPath** (a Go-based ELF binary built for x86\_64 Linux systems).
- **Packet Capture Tools:** Tcpdump, Tpacap, Embedded Packet Capture.
- **Infrastructure:** Uses a **jump-host** concept during operations to proxy activities.
## Implications
The focus on edge networking devices (Cisco Nexus, and others listed) indicates a sophisticated, long-term espionage campaign aimed at acquiring deep visibility into network traffic, credentials, and acting as a pivot point into more sensitive internal networks. Attacks exploiting these devices often survive firmware upgrades, making detection and remediation difficult.
## Mitigations
- Monitor for **unauthorized SSH activity on non-standard ports**.
- Track **log anomalies**, including missing logs or unusually large `.bash_history` files.
- Inspect for **unexpected configuration changes** on networking gear.
- **Apply patches** to edge networking devices as soon as they are available, especially when attacks exploit vulnerabilities (zero-days or known flaws).