Photo credit: www.darkreading.com
The advanced persistent threat (APT) group from China, referred to as Salt Typhoon, has been reported to target over a thousand Cisco devices utilized by telecommunications companies, internet service providers, and various academic institutions.
Known by several aliases, including RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, Salt Typhoon gained notoriety last autumn after it was linked to intrusions affecting major telecommunications firms in the United States such as T-Mobile, AT&T, and Verizon. The group notably managed to intercept communications related to US law enforcement as well as interactions from both the Democratic and Republican presidential campaigns.
Media scrutiny does not appear to have deterred Salt Typhoon’s operations. Data from Recorded Future’s Insikt Group indicates that the group, tracked under the name “RedMike,” has launched multiple attacks on global communications providers and research universities, particularly exploiting vulnerabilities in Cisco network devices during December and January. It appears this approach may have been utilized previously as well.
Salt Typhoon’s Latest Attacks on Elecom, Unis
In October 2023, Cisco issued an urgent advisory to its clients, recommending the removal of IOS XE operating system devices from the internet due to a newly discovered vulnerability affecting the user interface (UI). This flaw, assigned the identifier CVE-2023-20198, permitted unauthorized creation of local accounts with administrative rights, scoring a critical 10 on the Common Vulnerability Scoring System (CVSS).
Shortly thereafter, Cisco identified another vulnerability, CVE-2023-20273, which was leveraged alongside the first to allow attackers to execute harmful commands with root privileges on compromised devices. This vulnerability received a substantial score of 7.2 on the CVSS scale.
Despite Cisco’s warnings circulating in the industry, Salt Typhoon exploited these vulnerabilities, infiltrating major organizations across all six inhabited continents. By utilizing the access granted through CVE-2023-20198 and CVE-2023-20273, the group established Generic Routing Encapsulation (GRE) tunnels to connect compromised devices to its infrastructure, thereby facilitating data exfiltration while maintaining a lower risk of detection by security systems.
While the full timeline of Salt Typhoon’s involvement with Cisco devices might not be completely known, its recent engagements point to an ongoing strategy targeting telecommunications entities.
Jon Condra, the senior director of strategic intelligence at Recorded Future, notes that detailed information surrounding the September 2024 intrusions related to Salt Typhoon and US telecommunications providers remains scarce. CISA’s guidance released in December 2024 suggested exploitation of Cisco devices in these incidents without offering specific details. Historically, Chinese APT groups have often targeted Cisco devices, indicating a pattern of persistent vulnerability.
Salt Typhoon’s Latest Cyberattack Victims
The recent campaigns have impacted a variety of organizations, including a US branch of a UK telecommunications company, an American ISP, an Italian internet service provider, a South African telecom operator, a Thai telecom company, and Mytel, a major player in Myanmar’s telecom sector.
Zach Edwards, a senior threat researcher at Silent Push, highlights the complexity of telecommunications systems, often described as intricate and sometimes outdated structures. He emphasizes that the existence of older vulnerable technologies in many telecom systems can lead to exploitation, as they often cannot be easily replaced.
In addition to targeting telecoms and ISPs, Salt Typhoon has infiltrated 13 academic institutions, including prominent universities such as UCLA and several others across the United States and internationally in regions like Argentina, Indonesia, and the Netherlands. It’s noteworthy that many of these universities conduct research in telecommunications and technology fields.
Overall, the impact of these cyberattacks spans over 100 nations, with a significant concentration of compromised devices in South America, India, and primarily the United States.
Condra from Recorded Future asserts that while previous discussions about Salt Typhoon have centered around its activities in the US, the group’s operations have a much wider geographic footprint. The emphasis on global targeting reflects China’s strategic interest in accessing sensitive networks for espionage and potentially disrupting data flows, as well as positioning themselves for potential actions amid rising geopolitical tensions.
Source
www.darkreading.com