Full Report
The Chinese nation-state threat group primarily gained access to Cisco devices with legitimate login credentials, according to Cisco Talos. The post Salt Typhoon gained initial access to telecoms through Cisco devices appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
- **Attribution:** Chinese nation-state threat group.
- **Aliases:** Not specified in the provided text, but known for sweeping attacks on U.S. telecom networks.
## Activity Summary
Salt Typhoon has been engaged in sweeping attacks targeting U.S. telecom networks. The group has shown capabilities for long-term persistence, maintaining access to one target environment for over three years. Initial access often involves Cisco devices. While one instance suggested exploitation of an older vulnerability, the primary method observed by Cisco Talos involved using legitimate login credentials to access Cisco devices. Other reports indicate exploitation of vulnerabilities in Cisco IOS XE.
## Tactics, Techniques & Procedures
- Gained initial access to Cisco devices using **legitimate login credentials** in most investigated incidents.
- Likely exploited **[CVE-2018-0171](https://nvd.nist.gov/vuln/detail/cve-2018-0171)** (a seven-year-old critical vulnerability in Cisco IOS XE) in at least one observed instance.
- Exploited **[CVE-2023-20198](https://nvd.nist.gov/vuln/detail/cve-2023-20198)** and **[CVE-2023-20273](https://nvd.nist.gov/vuln/detail/cve-2023-20273)** in Cisco IOS XE (as reported by Recorded Future).
- **Living-off-the-land techniques** utilized to maintain persistent access to telecom network infrastructure (described as a hallmark).
- Actively attempted to acquire additional credentials by reviewing **network device configurations** and checking **local accounts with weak passwords**.
- Captured **network protocol traffic**, including secret keys used between network devices, likely for credential harvesting.
- Continued movement within compromised infrastructure (details truncated).
## Targeting
- **Sectors:** Telecommunications (Telecoms).
- **Geography:** United States (U.S. telecom networks).
- **Victims:** At least five additional telecom networks were recently hit, in addition to compromised infrastructure investigated by Cisco Talos.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named in the provided text, but the activities rely on credential access and living-off-the-land techniques.
- **Infrastructure:** Cisco devices (specifically Cisco IOS XE routers/switches) are central to their initial access and persistent operations. (No specific C2 domains or IPs were provided in the excerpt).
## Implications
Salt Typhoon demonstrates a sophisticated, long-term focus on critical telecommunications infrastructure, likely to gain strategic intelligence or position itself for future disruptive operations. Their heavy reliance on credential exploitation and persistence via 'living-off-the-land' techniques makes detection difficult against purely signature-based defenses, highlighting risks associated with credential hygiene and management of network gear.
## Mitigations
- Customers are strongly advised to **patch known vulnerabilities** in network equipment.
- Follow **industry best practices for securing management protocols**.
- Review network device configurations and local accounts for **weak passwords**.
- Monitor for credential harvesting and network protocol traffic captures that may indicate attempts to steal secret keys.