Full Report
The Chinese nation-state threat group intruded five additional telecom networks between December and January, including two unnamed providers in the U.S., Recorded Future researchers said. The post Salt Typhoon remains active, hits more telecom networks via Cisco routers appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
Nation-state threat group linked to the Chinese government.
Known Alias: RedMike (Tracked as such by Recorded Future).
Associated with other known active threat groups affiliated with China’s government.
## Activity Summary
Salt Typhoon remains actively engaged in intrusions, recently hitting multiple global networks, including two in the United States, between early December and late January. Researchers observed seven compromised Cisco network devices communicating with the actor's infrastructure across five telecom networks during this period. The group's ongoing attack spree has been active for up to two years prior to discovery by U.S. officials in late spring of the previous year. Historically, the group gained broad and full access to U.S. telecom networks, stole metadata, geolocated millions of individuals, and directly targeted and stole communications of approximately 100 individuals involved in government or political activities.
## Tactics, Techniques & Procedures
- **Initial Access/Exploitation:** Primarily targeting internet-exposed Cisco network routers.
- **Vulnerability Chaining:** Explicitly observed chaining two privilege escalation vulnerabilities in Cisco IOS XE software:
1. Exploiting **CVE-2023-20198** to create a local user and password.
2. Using the new account to exploit **CVE-2023-20273** to gain root user privileges.
- Attempted to exploit over 1,000 Cisco routers worldwide since early December.
## Targeting
- **Sectors:** Telecom providers (primary focus), Universities.
- **Geography:** Global, with specific recent activity observed across networks in the United States, Thailand, Italy, and South Africa. The majority of targeted Cisco devices since December were used by telecom providers based in the U.S., South America, and India, spread across more than 100 countries in total. Universities in nine countries, including four in the U.S., were also targeted.
- **Victims:** An unnamed U.S. internet service provider, a U.S. telecom company, a U.S.-based affiliate of a U.K. telecom provider, a large telecom provider in Thailand, an Italy-based ISP, and a South Africa-based telecom provider. Targeted universities potentially related to research in telecom, engineering, and technology.
## Tools & Infrastructure
- **Malware Families Used:** Not specified in the context description, but relies heavily on exploiting platform vulnerabilities for access.
- **Infrastructure:** Active use of known Salt Typhoon infrastructure for Command and Control (C2).
## Implications
Salt Typhoon poses an enduring threat due to its nation-state backing and persistent access to critical infrastructure, particularly telecommunications networks globally. Their ability to steal metadata, geolocate individuals, and intercept communications highlights significant intelligence gathering capabilities. Officials have indicated that completely removing the actor from compromised networks may be impossible.
## Mitigations
- Immediately address the known privilege escalation vulnerabilities in Cisco IOS XE software, specifically **CVE-2023-20198** and **CVE-2023-20273**.
- Apply fixes and upgrade to available fixed software releases as urgently recommended by Cisco.
- Adhere to hardening guides provided by Cisco for NX-OS devices and IOS-XE, as advised by U.S. and global officials.
- Increase monitoring of internet-exposed Cisco network devices, especially those running in telecom environments.